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ABSTBACT 



The Navy Regional Data Automation Centers (NABDACs) 
tecame a Navy Industrial Fund (NIF) activity on 1 October 
1983 ♦ This change requires that NABDACs bill customers for 
all data processing (DP) services provided. The impact of 
the change to NIF accounting on tie evaluation of management 
performance is addressed within the context of the defined 
control structure. The purpose of this thesis is to present 
background information on the NIF concept, NABDACs, and 
operational audits, and to provide general recommendations 
for the design and application of operational auditing for a 
NARDAC. It is also to discuss benefits to be derived by 
managers of a NARDAC examined by an operational audit, A 
guide for performing an operational audit of a NARDAC is 
outlined . 
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I. INIBODaCTION 



A. GEHBEAI 

In an attempt to understand the environment in which the 
Navy Regional Data Automation Centers (NARDACs) operate, it 
is essential to examine the fundamentals of the business of 
managing information services in general. This requires 
taking a wider view of computers, information resources 
management, and the events that led to the formation of the 
Naval Data Automation Command (NAVDAC) . A review of the 
factors leading to the establishment of NAVDAC as a Navy 
Industrial Fund (NIF) activity is also necessary. 

The Navy Regional Data Automation Centers (NARDACs) can 
be likened to an information services department in a large 
business corporation. NARDACs are information processing 
centers operating under the central management of the Naval 
Data Automation Command. They exist to provide high 
quality, low cost, ncn-tactical data processing services to 
operational customers in regions of extensive Navy activity. 
Each NAEDAC is a support organization dedicated to improving 
the quality of computer support available to Navy activities 
in its region. Automated data processing (ADP) services 
offered by the NARDACs range from one-time technical consul- 
tations to full responsibility for processing applications 
on a scheduled production basis. Clients negotiate as 
requirements arise for the level of support needed. Thus, 
the extensive literature dealing with corporate information 
services management is applicable to NARDACs. 
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COHPUTEBS--A HISICEICAL PEBSPECTI7E 



Managing information resources has become a task of 
overwhelaing size and complexity. Technological, social, 
cultural, and political issues interact with one another 
making it increasingly difficult to distinguish which issue 
is important and which is not. Yet making these distinc- 
tions is essential to any organization with a large invest- 
ment in information resources — people, machines, and 
technologies. 

Unit costs of hardware continue to decline [Bef. 1]. 
Because computer needs continue to rise, total hardware 
costs continue to rise. Purchased software costs are rising 
slightly and people costs are rising at an ever increasing 
rate. These economic trends affect both the manager and 
users' perception of system efficiency. 

Over the past thirty years, the rapid evolution and 
spread of computers, telecommunications, and office automa- 
tion has created a major new set of managerial changes. 
Attempts to resolve these challenges has resulted in the 
creation cf new departments, massive recruiting of staff, 
major investments in computer hardware and software, mecha- 
nization of routine tasks — inventory, payroll and accounts 

receivables — and installation of systems which have had a 
profound impact cn hew the organization operates. 

Managing these challenges is complex because far too 
many members of the computer professional community received 
both their education and early work experience in a time 
prior to the wide-scale introduction of computer technology. 
The cultural impact has resulted in managers who feel 
somewhat uneasy about the subject and lack confidence that 
they have the appropriate background to provide managerial 
oversight. Their firsthand technical experience was with 
technologies vastly different from those of the 1980s. 
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In the early 1960s, the computing business began to look 
so different because of software development and stored 
programming. Only a small percentage of the professionals 

managed the transition to that new and totally different 

/ 

information management culture. Understanding the program- 
ming challenges of the rotational delay of the drum of 
machines in that era, however, provides no value in dealing 
with the challenges posed by today's sophisticated computer 
operating systems. [Eef. 2 ] 

aoreover, understanding of what makes acceptable manage- 
ment practice in this field has changed dramatically since 
the early 1970s. Virtually all major, currently acceptable 
frameworks for thinking about how to manage in this field 
have teen developed since then. Consequently, a special 
burden has been placed on information systems management, 
not just to meet day-to-day operating problems and new tech- 
nologies, but to assimilate and implement quite different 
ways of maraging the activity. If not committed to a 
process of self-renewal, occupational obsolescence very 
quickly results. 

C. CHALIEHGE OF INFCBHATIO N SERVICES ilANAGEHENT 

It wculd be a serious mistake, of course, to consider 
the problems of computer systems management as being totally 
unique and separate from these of general management. Ihe 
various elements of the data processing function require a 
high level of continuing communications and cohesive inter- 
relationships to ensure adequate planning, development, and 
implementation of complex systems. The issues of informa- 
tion services organization, planning, control, strategy 
formulation, budgeting, transfer pricing, profit centers, 
cost centers, and sc forth, are relevant here. The indi- 
vidual aspects of computer management problems thus are not 



12 




i 





unigue. What is uniyue is the combination of these issues 
in running an efficient and evolving function. 

Because of this combinaton of issues, data processing is 
unlike any other activity within an organization. It 
combines a highly technical skill level with creativity. It 
requires a broad management outlook in its design stages, 
but an extremely detailed outlook in its implementation 
stages. Its managers must be concerned about the impact of 
their work on overall policy, procedure, and organization 
structure, while still maintaining an interest in individual 
data fields. It is a service function, yet it significantly 
influences the procedures of those it serves. It may be 
organizationally placed as one function, yet must maintain 
an objectivity in meeting the needs of functions crossing 
many organizational lines. To accomplish its job, its 
managers must have a line manager’s knowledge of other func- 
tions within the company and still maintain a staff advisory 
outlook . 

Each of these facets places a special burden on the 
selection of the appropriate information systems organiza- 
tional structure. Data processing management must be 
continually alert to the fact that today’s appropriate orga- 
nization structure may not meet tomorrow’s conditions or 
needs. Organization structure seldom remains static, and 
should be modified to meet changing conditions of assigned 
responsibilities, service role, and growth. 



D. NAVAI DATA ADTOMATION COHHAIiD (NAVDAC) 





This section provides 


a 


brief 


look at 


the 


Naval Data 


Automation Command (NAVDAC) 




organization. 


its 


mission and 


the 


field activities under 


NAVDAC. 


NAVDAC, 


and 


the NARDACs 


and 


NAVEAFs, were forme 


d 


as the 


result 


of 


the "Navy 


Automatic Data Processin 


g 


(AD?) 


Reor ganiza 


tion Study 
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Implementatioa Plan'* of Oct 
was in response to the maj 
by a General Accounting Off 
ical of Navy ADP. In 
operational. The mission o 
coordinate the Navy non-tac 
sibility includes collabora 
AD? claimants; developme 
approval of systems develop 
of ADP equipment and servi 
technology; and career d 
personnel. NAVDAC consist 
in the Washington Navy Yar 
throughout the country in 
Naval activities. figure 
NAVDAC organization. The 
NARDACs and Navy Data Autom 

Each NARDAC established 
existing facilities and ope 
ical area. The seven NARDA 
D. C., Norfolk, Virgin! 
Florida, San Francisco an 
Orleans, Louisiana. Each 
full range of data proces 
geographic area. A standar 
in Figure 1,2. Each cente 
units to meet special regui 
the Navy with "centers of 
data processing services, 
expertise, trouble shcotin 
distributed processing, a 
[Ref. 3] 

The NARDACs beca ire Navy 
ties on 1 October 1983. Th 



ober, 1976. The reorganization 
or ADP problems brought to light 
ice (GAO) report that was crit- 
October 1977, NAVDAC became 
f the NAVDAC is to administer and 
tical ADP program. This respcn- 
tion of ADP matters with all Navy 
nt of policy and procedures; 
ment, acquisition and utilization 
ce contracts; sponsoring of ADP 
evelopment and training of ADP 
s of a headquarters staff located 
d and field activities situated 
areas of high concentration of 
1. 1 displays a diagram of the 
se field activities are called 
ation Facilities (NAVDAFs) . 

under the NAVDAC was formed from 
rations in a particular geograph- 
Cs are located in Washington, 
a, Jacksonville and Pensacola, 
d San Diego, California and New 
activity is designed to provide a 
sing services to their assigned 
d NARDAC organization is depicted 
r, however, may have specialized 
rements. The goal was to provide 
excellence" that would provide 
programming support, technical 
g, telecommunicatons networking, 
nd other ADP related services. 



Industrial Funded (NIF) activi- 
is requires that NARDACs bill 
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NAVAL DATA AUTOMATION 
COMMAND 




Figure 1.1 NiTDAC Organization Chart. 
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ORGANIZATION STRUCTURE 




Figure 1.2 A NAEDAC Organization Chart. 
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customers for services provided. The problem began on 
Pebruary 1 , 1978, witn the delivery of a report by the 

General Accounting Cffice (GAO) to the Congress entitled 
"Accounting for Autcmatic Data Processing Costs Needs 
Improvemrnts" [Eef. 4]. After studying the cost accounting 
practices cf twenty six federal organ! zatons, the GAO 
concluded that all were using inadequate accounting methods. 
The report stated that without accurate costs, computer 
center managers may choose uneconomical alternatives when 
replacing or adding to computer facilities. They ray also 
fail to charge users of computer facilities equitable 
amounts for services rendered. Further, functional managers 
cannot make the best decisions when they are not aware of 
the total cost of implementing and operating their applica- 
tions systems. GAC stated that cost records should be 
structured so that costs for both data processing and the 
agencies' programs can be identified. The report concluded 
that the mission funded concept was not adequate for the 
cost accounting necessary for computer operations 

The strongest point made in the GAO report was that the 
cost of computer services as reported by federal agencies 
often excluded major items of costs, such as military labor 
and overhead. Computer services cost had traditionally been 
stated in terms of Operations and Maintenance, Navy (CSMN) 
costs, since these ccsts were the only costs billable to the 
customer under the Resources Management System (RMS). The 
report indicated that an accounting system was necessary 
that would reflect the true cost of providing the computer 
services. [Ref. 5] 

The GAC issued guidelines for accounting for ADP costs 
which state that "all significant elements of cost directly 
related to acquiring computers and associated assets and to 
performing data processing functions should be collected and 
accounted for in ways useful for management, budgeting, and 
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external reporting. Organizational boundaries and differ- 
ences in financing methods should not prevent reasonable 
compilation of ail AlP-related expenses in cost accounts." 
Ihe categories cf cost required for full cost accounting 
are; [Ref, 6] 



1. Personnel. Salaries and fringe benefits’ for 

civilian and military personnel who perform and 
manage ADP functions: ADP-related custodial 

services, securitv, building maintenance, and 
contract management! 

2. Equipment. Nonrecurring expenditures for acquisi- 
tion and recurring costs for rental, leasing, and 
depreciation of computers and associated on-line and 
off-line ADP equipment. 

3. Computer Software. Nonrecurring expenditures for 
acquisition, and conversion and recurring expenses 
for rental, leasing, and aepreciation of all types 
cf software--operating, multipurpose, and applica- 
tion. 

4. Space Occupancy. Funded and unfunded costs for : 
(a) rental, lease, and depreciation of buildings and 
general office furniture; (b) buildings maintenance; 
[c) regular telephone service and utilities; and (d) 
custodial services and security. 

5. Supplies. Expenditures for noncapital office 
supplies and general-purpose and special-purpose 
data processing materials. 

6. Intra-agency Services and Overhead. The costs of 
normal agency support services and overhead, either 
billed or allocated, and the costs of central 
management, policy, and procurement services. 

7. Contracted Services. Any of tne above services if 
procured contractually. 



In response to both the GAO report and a congressional 
study conducted by the House Appropriations Committee's 
(HAC) Survey and Investigation Staff, the Navy reccmmended 
the addition of the NARDACs to the Navy Industrial Fund as 
part of Fiscal Year 1984 Navy input to the President's 
Budget. 
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II. IHE Mil INDDSTRIAL FUND 



A. BACKGfiOOND 

Ihe Navy Industrial Fund (NIF) was established as a 
means of helping certain Navy activities to function mere 
efficiently and in a business-like manner. The reasoning 
behind the establishment of the Industrial Fund was that 
commercial/industrial type of activities that are qualified 
to operate under NIF could be freed from many of the worries 
arising from the total dependence on the cycle of annual 
appropriations (authorizations from Congress to set aside 
certain funds for specific purposes for limited time 

periods) . For this reason, the Navy Industrial Fund 
Appropriation was established by Congress. Ihe NIF 

Appropriation has indefinite life from which qualified 
commercial/indus trial activities can be given working 
capital (cash) to operate on a revolving fund basis similar 
to private enterprise. [Ref. 7] 



The term "revolving fund" means that working capital 
(called NIF corpus) is used to finance operations from 
the time that specific work is begun to the time that 
payment is received from the customer. [Ref. 8] 



All ccmmercial/industrial enterprises need working 
capital. The difference between private industry and 

government is, of coarse, the profit motive. With NIF, the 
financial goal is to break even. This means the NIF 

activity shculd charge the customer the same prices as it 
costs the NIF activity to do the work. The NIF fund 

"revolves" in that payment received from the customers 

replenishes the working capital fund which is continually 
used to finance operations. The attempt to break even 
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requires rigorous control of costs, and projection of 
billing rates, because if NIF has cost overruns, it incurs 
losses (not just making a little less profit as is the case 
of private industry). £Bef. 9] 

The Navy operates 5 1 activities under the Navy 
Industrial Fund. Figure 2. 1 is a listing of the various NIF 
Activity Grcups, and relative volume of customer orders as 



NIF ACTIVITY GROUP STRUCTURE 



A cti v ity Grou p 



Number of 
Activities 



FY 1984 
Budget 
$M illicns 



Navy Research Lab 




1 


$ 324 


Military Sealift Command 




1 


2,334 


Shipyards 




8 


3,557 


Ordnance Facilities 




10 


1,328 


Air Rework Facilities 




6 


1,536 


Air Labs 




3 


647 


Air Engineering Center 




1 


142 


Aviation Center 




1 


15 5 


Public Works Centers 




8 


967 


Construction Engineering 


Lab 


1 


41 


Publications and Printing 


Service 


1 


187 


Missile Facilities 




2 


64 


Navy Research Labs 




7 


2,039 


Regional Data Automation 


Centers 


1 


157 


Totals 




51 


3rT37HTE 



Figure 2.1 NIF Activity Group Structure. 



budgeted for Fiscal Year (F 
Automation Centers (NARDAC 
member activity group und 
beginning FY 1984, in keep 
of the FY 1982 DOD Appropri 
The activity grcups ar 
and responsible to Activit 
Sea Systems Command (NA7SB 
Data Automation Command (NA 



V 


1984. 


The Navy 


Regional Data 


s) 


are 


operating 


as a 


single 


er 


the 


NIF for the 


first 


time , 


ing 


with 


the Congressional 


intent 



ation Act. £Ref. 10] 
e organizationally controlled by 
y Group commanders such as Naval 
A) for ail shipyards and Naval 
VDAC) for all NARDACS. Overall 
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NIF maragement is the responsibility of the Comptroller of 
the Navy (NAVCOMPT) who must not over obligate the corpus as 
a whole. 

The specific directive under which Industrial Funds have 
been inplemented within the Department of Defense is DOD 
Directive 7410.4. 

The Navy Industrial Fund is a one-time appropriation of 
working capital provided by Congress rrom which tne 
Comptroller of the Navy allocates required amounts to 
activities approved for operations under the Navy 
Industrial Fund. [Eef. 11] 

This appropriation was established in 1949. The corre- 
sponding NIF Accounting System, rather than the appropria- 
tion itself, is usually referred to as **NIF". The 
Com pt rolle r iJaSiiSi/ Vo lum e 3, Chapter 3, entitled "Navy 
Industrial Fund” is the Navy implementation of DOD directive 
7410.4. 

The inception of the Navy Industrial Fund with applica- 
tion of modern business methods was widely heralded by the 
public as an effort cn the part of the military to end inef- 
ficiency and waste, to create cost consciousness at all 
levels, and to reflect tangible savings as the result of 
sound financial management. 

The Comptroller cf the Navy, in reporting on the effect 
of industrial funding, stated: 



"It should be re-eaphasiz 
financing and its rela 
accounting, and reportin 
or commercial- type field 
assure an efficient and 
potent management tools 
systems, however, espe 
finaicial control areas; 
tools should materially a 
ment of indust rial-co 

[Ref. 12] 



ed that the installation cf NIF 
ted "custom-built' budgeting, 
g system at an indus trial-type 
activity, of itself does not 
economical operation. Many 
are inherent in these NIF 
cially in the cost control and 
and the proper use of these 
ssist in tne effective manage- 
mmercial type activities." 
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An important aspect of the NIF System is the concept of 
a revolving fund and its inherent flexibility. The fund is 
used as operationally required to finance work for customers 
on a self-sustaining basis. The Industrial Fund Activity 
takes orders for work from Navy customers, performs the work 
with dollars from the fund, bills the customers for the 
work, and receives reimbursement from the customers. The 
fund is reimbursed fcr supplies and materials used, services 
rendered, or labor performed by charges to applicable 
customer appropriations or payments received in cash. 
Consequently, the NIF provides the following advantages: 

1. A modern business-type budgeting and accounting 
system permitting '•tailor-made adaptations. 

2. A basic accounting system that has been stable for 
years and promises to continue relatively unchanged 
(especially important in this age of automation) , 

3. Authority, though limited, to start emergency work 
on a sponsor's order prior to receipt of funds 
(Ccmmanaing Officer's orders). 

4. A means of financing and carrying inventories of 
non-standard material. 

5. The convenience of using working capital for 
initially charging all costs, 

6. A method for developing total costs of each task or 
project, including overhead. 

7. A means for producing management cost data by job 
orders, cost centers, or other organizational break- 
downs. 

8. Assistance for management to better control money, 
manpower, material, and facility resources. 

Figure 2.2 is a list of all NIF activity groups and 
activity group managers. 

Basic to the functioning of NIF activities is the divi- 
sion of effort into functional units called cost cen ters . 
Dnder the cost center concept, any level of the orgainza- 
tional structure might be a cost center. It could be an 
entire department or a subdivision of one. 
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GROUP 



.MANAGER 






R S D Centers 
Shipyards 

Ordnance Activities 
Air Rework Facilities 
Test and Eval. Activities 
Public Work Centers 
Civil Engineering Lab 
Navy Printing & Pubs. 
Strategic Weapons Fac. 
NARDACS 



Chief of Naval Material 
Naval Sea Systems Command 
Naval Sea Systems Ccmmand 
Naval Air Systems Ccmmand 
Chief of Naval Material 
Naval Fac. Eng. Command 
Naval Fac. Eng. Ccmmand 
Navy Supply Systems Command 
Strategic Sys. Frog. Command 
Naval Data Automation Command 



Figure 2.2 Activity Group Managers. 

All orders are accepted on the basis of a fixed price or 
on a cost reimbursable basis. In either case, the estimated 
costs are cased upon the published stabilized rates 
pertaining to the product or service ordered. These stabi- 
lized rates are based upon budgeted costs. Customers are 
billed at the stabilized rate regardless of the actual cost. 
Non federal government customers are exempt from the rate 
stabilization program and are charged actual costs incurred. 
Fixed price orders are negotiated and billed on the basis of 
stabilized rates. When actual costs are less than the 
tilled price, the activity makes a profit. A less occurs 
when actual costs are more than the billed price. 

NIF activities submit their budget (A- 11 Budget) 
directly to NA7C0MPT into the Navy Industrial Funs Reporting 
Systsem (NIFRS) . NAVCOMPT operates the NIFRS and maintains 
a budget data base for use by the NIF Activity Group 
Managers and for Department of the Navy (DON) NIF budgets 
and reports. The NIFRS also captures individual NIF activ- 
ity! monthly reports, summarizes the data by NIF Activity 
Group and prepares the monthly reports for DON. It allows 
evaluation of NIF activities performance in comparison to 
the budget. 
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BATE SIABILIZATICN 
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NAVCOMPI Instruction 7600.233 provided amplifying 
guidance as follows; 



"In developing and establishing rates, each 
will adhere to the principle of aligning 
recover operating costs. activities should 



sufficient 
system is 
per f crming 
covered by 
activities 



activity 
rates to 
devise a 



number cf rates to ensure that the rate 
a reasonable model of the actual cost of 
the various categories of work or services 
the rates. Stabilized rates submitted by the 
will be reviewed and adjusted by the Activity 
Group manager, to provide the necessary changes to 
offset the total prior year gains or losses thereby 
achieving zero profit and loss in the Accumulated 
Operating Results Account of the Activity Group. Gains 
and losses will normally be fully offset during the year 
following their occurence. and will be reflected 

uniformly in the rates of the Activity Group. Changed 
conditions resulting from the Office of the secretary of 
Defense review of the Activity Group manager’s A-11 
Budget, and changes in the customer programs occuring 
during the budget review cycle will result in stabilized 
rates being again reviewed and additional changes made 
where appropriate." £Ref. 13] 



Rates established for NIF activities are expected to 
remain in effect for the entire fiscal year. Shipyard 
rates, however, are normally in effect for the entire period 
that a ship is in the yard regardless of the number of 
fiscal years involved. Rates for work unrelated to the ship 
will change with the fiscal year. Rate changes during the 
fiscal year are expected to be rare, and may be made only 
upon approval of the Assistant Secretary of Defense 
(Comptroller). In a major sense, rate stabilization did 
help the Navy tc cope with the radical swing in inflation, 
utilities, and fuel prices during Fiscal Year 1978 through 
Fiscal Year 1981. 

A significant problem associated with stabilization is 
the failure of the process to make known the stabilized 
rates to the customers early enough to be useful in budget 
preparation at the local level. The process of attempting 
to balance the customer budget requests with the NIF funding 
in the Eresident’s Budget is done by NAVCOMPT, a level 
considerably higher than local customer budgeting, causing 
imbalances that are not discovered until a year later. 



25 



Any variance between stabilized-rate billing and actual 
costs become profits or losses of the HIF activity and are 
absorbed by the corpus. By the time a profit or loss is 
realized, however, the next year's rates are already estab- 
lished. These profits or losses are not offset, therefore, 
until the next rates are set. The NIF activity, conse- 
quently, essentially operates on a three-year cycle. 

The essence of rate stabilization is that rates are set 
annually for the entire fiscal year. The combination of 
rate stabilization and NIF budgeting results in rates being 
set one to two years in advance of actual use in billing. 
The rates charged represent modifications by the NIF 
Activity Group commander, NAVCOdPT and the Office of the 
Secretary of Defense (OSD) to those proposed by the NIF 
activity. As a consequence, individual NIF activity 
commanders do not directly determine rates or change stabi- 
lized rates when a flaw is found. Stabilization has 
resulted in a rather substantial loss of autonomy by NIF 
activities because they are no longer in control of the 
inflow of resources to their command and can not control the 
profit or loss for a particular period. The cash balance is 
also beyond their control. In spite of this lack of 
control, the performance of NIF activity commanders has been 
evaluated with the financial position of the individual 
activity as a factor. It seems obvious that the control 
system was weakened by rate stabilization and the loss of 
autonomy by NIF activities. 
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III. on ACC ODNIING PEOCEDDBES 

A. HAVY ACCOONTIHG AI THE HEADQOAETERS LEVEL 

AccouEticg in the Federal Government provides financial 
information for use by the management of a particular agency 
and for use by the Department of Treasury, Office of 
Management and Budget (0MB ) , and the Congress. Such infor- 
mation is used for these various reasons: 



1. Facilitate efficient management. 

2. Support budget requests. 

3. Shew the extent of compliance with legal provisions. 

4. Report (in financial terms) to other agencies, to 
the Congress. and to the public, the status and 
results of the agencies activities. 



The forerunner to today's budget and accounting system 
was the Budget and Accounting Act of 1921. This act 
provided for a budget system under the Department of 
Treasury. (This function was later transferred to the 
Executive Office of the President.) The act also estab- 
lished the General Accounting Office (GAO) headed by the 
Comptroller General of the United States. The Comptroller 
General was given the responsibility for developing govern- 
ment accounting systems and was also given authority to make 
expenditure analyses; maintain ledger accounts, investigate 
the receipt, disbursement, and application of public funds, 
examine hooks, documents, papers, and records of financial 
transactions; perform audits, etc. Since 1921, there has 
been a continuing attempt made, through legislation and 
executive orders, to establish effective fiscal control over 
all governmental activities. The respective headquarters 
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components maintain control of funds allocated to them 
[Ref. 14]. 

B. flOBKIHG CAPITAL lONDS 

In 1949, when Congress amended the Rational Security Act 
of 19M7 establishing the Department of Defense (DOD) , origi- 
nally named the National Military Establishment, the need to 
promote ''efficiency and economy" through use of uniform 
budgeting and fiscal procedures was recognized. Among the 
features of the National Security Act was authorization (10 
0. S. C. 2208) for the Secretary of Defense to establish 
working capital funds for the purpose of financing supply 
inventories and the capitalization of industrial type activ- 
ities. Thus what we know today as "industrial funds" 
resulted from the National Security Act of 1947. 

A fund has been defined as a "separate enterprise, 
having assets, liabilities, net worth, income and expendi- 
tures of its own." In government practice, a fund is not 
tied tc profit making, hence, the emphasis is not on maxi- 
mizing income. The fund is used to isolate a particular 
area and allow management to focus on it as an entity. 

The goal of a DOD working capital fund is to recover all 
costs exactly-- work to a zero profit [Ref. 15]. A working 
capital fund is not controlled by an annual appropriation. 

C. RESCDBCE MANAGEMENT SYSTEMS (RMS) ACCODNTING 

1 . Bac kgr ound of RMS 

The Resource Management System (RMS) was introduced 
to the Navy through a Priority Management Effort (Project 
PRIME) in Fiscal Year 1968. One basic change was to require 
the costing of military personnel. Another major change was 
the separation of procurement costs from operating ccsts. 
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The separation of expense and investment costs allcw a 
differentiation between those costs influenced by maragement 
and these over which there is little control. 

In operating RMS all activities are charged for 
operating resources consumed by them at the time of consump- 
tion. An expense is recognized when and where materials, 
supplies, services or labor are used to accomplish a 
mission. To distinguish between the time of purchase of 
resources and the time of consumption, working capital is 
used just as inventory accounts are used in commercial prac- 
tice. RMS changed traditional accounting systems to improve 
and integrate accounting and reporting with programming and 
budgeting. 

2 . RMS Acco unt ing 

Resource Management Systems (RMS) accounting 
includes all procedures for collecting and processing recur- 
ring quantitative information that (1) relates to resources, 
and (2) is for the use of management. Resources are people, 
materials, services and money. There are four principal 
systems : 



1 . 

2 . 

3 . 

4. 



Programming and budgeting 

Management of resources for operations 

Management of inventory and similar assets 

Management of acquisition, use and disposition of 
capital assets 



The Department of the Navy has promulgated a series 
of publications for implementation of the Resource 
Management Systems for operations within the Navy. A hand- 
book of instructions and procedures applicable at the field 
activity level and at the departmental level and another one 
for the operating forces have been developed [Ref. 16]. 
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These handtcoics 
as they apply to 
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operation 



the resource management concepts 
and maintenance. 
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IV. THE MANAGEMEN T CONTROL SY STE M 



A. IHTflCDUCTION 



The information service 
is a critical network wh 
systems activities with the 
ations. Information servic 
ations linked by telecommu 
may or aay not have thei 
processing power. IS inte 
of computers and telecom 
projects often last more th 
multiyear view, the inform 
system focuses on guidan 
basis. The broad objec 
services management contro 
following: [Eef. 17] 



s (IS) management control system 
ich integrates the information 
rest of the or ganizaticn' s cper- 
es include a central hub of oper- 
nications to remote devices that 
r own extensive data files and 
grates the separate technologies 
munications. While individual 
an a year, and planning takes a 
ation services management control 
ce primarily on a year-to-year 
tives an effective information 
1 system must meet include the 



1. Facilitate appropriate communication between the 
user and deliverer of IS services and provide moti- 
vational incentives for them to work together on a 
day-tc-day, mcnth-to-month basis. The management 
control system must encourage users and IS to act in 
the best interests of the organization as a whole. 
It must motivate users to use IS resources appropri- 
ately and help them balance investments in tnis area 
against those in other areas. 

2. Encourage the effective utilization of the IS 
department’s resources, and ensure that users are 
educated on the potential or existing and evolving 
technology. In so doing, it must guide the transfer 
of technology consistent with strategic needs. 

3. It must provide the means for efficient management 
of IS resources and give necessary information for 
investment decisions. This requires development of 
both standards of performance measures and the means 
to evaluate performance against those measures to 
ensure productivity is being achieved. It should 
help facilitate make-or-buy decisions. 



31 



Four specific inputs appear to be critical to the struc- 
turing of an appropriate information services management 
control system for an organization. These are: [Ref. 18] 



1 . 



2 . 



The control system must be adapted to a very 
different software and operations technology in the 
1980s than was present in the 1970s. An important 
part of this adaptation is development of appro- 
priate sensitivity to the mix of phases of IS tech- 
nologies in the company. The more mature 

technologies must be managed and controlled in a 
tighter, more efficient way than ones in an early 
start-up phase which need protective treatment 
appropriate to a research development activity. 
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ence the appropriate 
Key issues here inclu 
geographic dispersion 
of the management tea 
structure, nature of 
staff departments, et 
is workable. 



he corporate environment 
IS Management Control S 
de IS sophistication of 
of the organization, sta 
m, the firm's overall si 
relationship between li 
c. These items infiuenc 



inf lu- 
ystem. 
users , 
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3. The general architecture of the organization's 
overall corporate management control system and the 
philosophy underlying it. 

4. The perceived strategic significance of IS both in 
relation to the thrust of its applications portfolio 
and the role played by currently automated systems. 



The next subsection discusses alternate methods of defining 



the control structure. 



B. 



AITEBNATE CONTROL APPROACHES 



The establishment of an information services activity as 
an u nallocate d cost cente r — a free resource to users--is 
advantageous where the resource being used is small. 
Accounting for such a cost center requires very low expendi- 
tures, and the contrcversey caused by a system of charging 
is avoided. On the other hand, significant problems usually 
exist when the users perceive the resource as free and 
attempt to make irresponsible uses of it. The unallocated 
cost center also insulates the computer installation from 
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external measures of performance and makes possible the 
hiding of operational inefficiencies. Although many organi- 
zations start with an unallocated cost center approach, they 
often evolve to some other form such as the approach of 
using memos to inform users of what their charges would have 
teen if a chargeback system were being used. Unfortunately, 
however, a memo about a charge does not have the bite of the 
actual assignment of the charge. [ Eef . 19] 

The approach of establishing the information services 
activity as an allo cated cost cen ter has the immediate 
virtue of helping to make user reguests more realistic. 
While it opens up a debate as to what cost is, it avoids the 
controversey about whether an internal service department 
should be perceived as a profit-making entity. Inevitably, 
however, the allocated cost center introduces a series of 
complexities and frictions since such a system necessarily 
has arbitrary elements in it. Full cost charges of a 
central computer installation can inappropriately stimulate 
the desires of the users to purchase mini/microcomputers. 
Allocations could be less than full cost, depending on the 
organization's overall management control philosophy. 
[Ref. 20] 

The chargeback process has led to a number of unsatis- 
factory consequences from the users' perspective in the 
majority of companies; 



1. Charges are unintelligible and unpredictable. 

2. Charges are highly unstable. 

3. Charges tend to be artificially high in relation to 
incremental costs 

4. Efficiency variables are directly assigned to ulti- 
mate users. 

5. Administration of the chargeback system is 
frequently very expensive. 
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Tne system is based cn passing all costs of the activity to 
customers. The charge for operations costs is based on a 
complex formula related to the use of the computer by the 
application. The user can not predict or control these 
charges because the "eguitable distribution" is dependent 
upon what other applications happen to be run during the 
month. To be effective, an information systems operations 
chargeback system must be simple. A second desirable char- 
acteristic is that the chargeback system should be perceive d 
as being fair and reasonable. A third desirable character- 
istic of a chargeback system is that it should separate 
information systems efficiency-related issues from user 
utilization of the system. Information Systems should be 
held responsible for its inefficiencies. Clearly, closing 
at month- or year-end any over- or under-absorbed cost vari- 
ances to the user usually accomplishes no useful purpose. 
£Ref. 21] 

The issues involved in charging for information systems 
maintenance and systems development are fundamentally 
different from those cf operations. A professional contract 
should be prepared for such expenditures as though it were a 
relationship with an cutside software company. 

The establishmen t of the informaton services activity as 
^ pr o fi t c ent er is a third method of management control. 
This approach puts pressures on the information systems 
function to hold costs down by stressing efficiency and to 
market itself aggressively inside the organization. 
Establishing information systems as a profit center, 
however, has problems. Because of geography, shared data 
files, and privacy and security reasons, many users can not 
go outside. In the short run, the profit center approach 
leads to higher user costs because a "profit" figure is 
added to the user costs. A deceptively intriguing approach 
on the surface, underneath it has many pitfalls. £Hef. 22] 
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The inv est ment c enter approach is similar to the proiit 
center approach. The critical difference is that the infor- 
mation systems function is made fully responsible for the 
assets employed and is forced to maJce appropriate trade-offs 
of investment versus additional profits. This produces 
strong motivations to delay capacity expansion and risk 
serious erosion in service provided. Another problem is 
that cf focusing only on hardware as an asset and not 
considering the software. A stand alone investment center 
can be perceived as being fully organizationally neutral. 
When set up as a profit, or investment center, the transfer 
price becomes a critical issue. The strengtns and weak- 
nesses of transfer pricing for the information systems func- 
tion are very similar to those found in transfer pricing in 
general. With cost-based pricing, the profit center and 
cost center are similar since profits can only be earned on 
internal sales by generating positive efficiency variances. 



C. THE HAVY'S ADP CBABGEBACK TEST 

Before the creation of NAVDAC, the Data Processing 
Service Centers (DPSCs) provided ADP support on a no-charge 
basis. To realize “the performance and economic benefits 
attainable** from a NAEDAC, an ADP chargeback test was insti- 
tuted, in April 1978, at NARDAC San Diego. During the 
initial phase, statistics were gathered on usage of the 
NARDAC* s resources by its customers. At the beginning of 
the second phase, the customers were given funds based on 
the utilization statistics gathered during the first phase. 
These funds were to be used to reimburse the NARDAC for ADP 
support . 

Permission to deviate from the Resources Management 
System was granted by the Comptroller of the Navy so that 
indirect costs could be passed on to customers excluding the 
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overhead items of administration, electricity, and mainte- 
nance of real property. The test algorithm allowed the 
NARDAC to charge premiums or grant discounts based on the 
customer's job priority and shift during which the job was 
run. These premiums and discounts were based on a matrix of 
percentages of full ccst incorporating both requested turn- 
around time and the requested shift. Such flexible pricing 
allowed the customer to weigh the importance of his job 
against the amount of money he was willing to pay. Secause 
of a legal opinion of the Head, Budget Policy Branch, 
NAVCOMPT, all percentages in the matrix were to be set to 
100. The resulting single charge nullified the most impor- 
tant feature of the test. The opinion was that NAVCOMPT 
would support a chargeback system which allocated all actual 
costs directly associated with the operation of the computer 
facility. The overhead items previously mentioned were to 
be excluded. The charge was to be cased upon the cost of 
providing the service, not upon the economic value of the 
services. Neither variable prices nor shift differentials 
were allowable. 

D. HAKAGEMEHT CONTBCI AND BUDGETING 

The foundation of the information services management 
contrcl process is the budgeting system. Its first objec- 
tive is to provide a mechanism for appropriately allocating 
scarce financial resources. The budgeting process ensures 
fine-tuning in relation to staffing, hardware, and resource 
levels takes place. A second important objective of 
budgeting is to set the specific goals and possible short- 
term achievements of the information systems activity. 
Finally, the budget extablishes a framework around which an 
early warning system for negative deviations can be built. 
Without a budget, deviations in a deteriorating ccst 
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rts which monitor staff turnover 
elopment projects. The type of 
rom organization to organization. 
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V. MTOBE and sole of QPMillONAL ADDITING 



A. INTBCDDCTION 

Auditing today differs considerably from what it was 
centuries ago. In fact, it is also different from what was 
practiced in the early twentieth century. Whereas the 
purpose cf accounts examination used to be to detect fraud 
and certify the accuracy of records, the primary purpose now 
is to express opinions on the f airnes s of presentation of 
the financial stateaents. Ihe purpose of auditing the 
performance of management used to be to ensure compliance 
with laws, policies, and regulations. The primary purpose 
now, however is to improve managerial performance and to 
determine whether an organization, activity or program has 
teen managed economically , efficiently, or effectively. 

Op e r ationa l audi ting is the term used in this thesis in 
reference to auditing involving work other than financial 
statement examinations to evaluate the efficiency and 
economy cf a given operation. Such an audit is often called 
a management audit in the auditing literature. 

Because there is a lack of standard terminology 
concerning the types of audits, the principal forms of 
government auditing are described below. [Bef. 23]. 



1. Finan cia l and com pliance — determines (a) whether the 
IinanciaT ^a tele fits ~ol an audited entity present 
fairly the financial position and results of finan- 
cial operations in accordance with generally 
accepted accounting principles and (b) whether the 
entity has complied with laws and regulations that 
may have a material effect upon the financial state- 
ments. 

2. Eccnomx and efficiency — determines (a) whether the 
enllly is managing ana utilizing its resources (such 
as personnel, property, space) economically and 
efficiently, (b) the causes of i nef ficiencies or 
uneconomical practices, and (c) wnether the entity 
has complied with laws and regulations concerning 
matters of economy and efficiency. 
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P rcq ram result s — determines (a) whether the desired 
fesul'^s or Benefits established by the legislature 
or other authorizing body are being achieved and (b) 
whether the agency has considered alternatives that 
might yield desired results at a lower cost. 

An audit may be either one of these types or a combina- 
tion of any of them, A comprehensive audit includes all of 
them, Ihe operational audit is a subset of an expanded 
scope or comprehensive audit whenever such broad audit work 
is reguired. This subset is also refered to as an economy 
and efficiency audit. 

Operational auditing is planning for, obtaining, and 
evaluating sufficient relevant evidence, by an independent 
auditor, to determine whether an entity's management cr 

employees have carried out appropriate laws, regulations, 
policies, procedures, or other management standards for 
properly using its resources in an efficient and eccncmical 
manner. From the evidence on the audit objective, the 

auditor comes to a conclusion and reports to a third party, 
with sufficient evidence in the report to convince the third 
party that the conclusion is accurate, and with a reccmraen- 
dation fcr the possible correction of any deficiencies. 

Accountability and attest are words often found in 
auditing literature and sometimes are used to mean the same 
thing. They are related, but they are not the same. 
Persons in crganiza ticns are accountable and report tc seme 
outside or higher level of authority. When reliability and 
acceptability are reguired of the accountable party, an 

independent person attests to the information through an 
audit. The one whe receives the audit report may be a 
higher-level manager within the same organization, the board 
of directors, the stockholders, the Congress, the 
public--any individual or group to whom the management or 
employees of an organization are accountable. 
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Operational auditing includes all internal operations of 
an organization accountable to some higher level. It 

includes operations for accounting, purchasing, personnel, 
research or any other activity conducted by the organiza- 
tion. Operational auditing attempts to determine for the 
accountable entity the best use of manpower, material, 
machinery, and information. 

Auditors of management activities in government must 
follow the 1981 revision of S tandard s for Aud it of 
Governm ent al O rga nizat ion s , Pr ograms , Acti vities, and 

F un ct ion s by the Comptroller General of the United Staes. 
These Standards, known as the "yellow book", have been 
developed in cooperation with other federal, state, and 
local auditing orgarizati cns, as well as the American 
Institute of Certified Public Accountants. These standards 
include a detail discussion of the following items; 

1. Scope of Audit Work 

2. General Standards 

3. Examination and Evaluation (Field Work) and 
Reporting Standards for Financial and Compliance 
Audits 

4. Examination and Evaluation Standards for Economy and 
Efficiency Audits and Program Results Audits 

5. Reporting Standards for Economy and Efficiency 
Audits and Program Results Audits 

Conclusions depend upon the evidence obtained on the audit 
objective and are based on three common elements: 

1. An appropriate standard 

2. The actions of individuals or organizations that 
either did or did not follow the standard 

3. The results brought about by the actions of organi- 
zations or individuals following, or not following, 
the standard. 
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Although operational auditing is not a new technigue, it 
is a subject of increasing interest. The operational audit 
extends traditional audit approaches and techniques to 
examine policy, procedure and practice in industrial and 
governnental operations. The organizational structure and 
administrative controls are examined with the purpose of 
determining where policies and operating controls vary from 
those essential to tie success of the industry or agency. 

More specifically, the operational auditor looks for: 
[Ref. 24] 



1. The existence of those general policies which deter- 
mine the organization requirements — the functions 
and activities essential to the conduct of the busi- 
ness or government agency. 

2. Indications that people have been designated tc 
perform each cf these functions and that the scope 
of their action and power of decision is both 
defined and understood. 

3. Predetermined goals or planned accomplishments for 
each control area, including standards, estimates, 
budgets, forecasts or other criteria to serve as 
yardsticks for comparison and evaluation. 

4. An efficient accounting system accumulates informa- 
ticn following the functional organization lines and 
affords comparison between actual and planned 
results. 

5. A meaningful system of management information that 
provides essential and timely decision-making data 
to all three levels of management — top, middle and 
supervisory. It should communicate current results 
as well as future plans. 

6. Control department statistics and financial trends 
over a period of time that may indicate a deteriora- 
tion in the effectiveness of controllable activi- 
ties. 

7. Good communications throughout the whole system of 
administrative control and evidence that its purpose 
is being achieved. The object is to determine and 
transmit what currently should be done and, in the 
light of later developments, reappraise and communi- 
cate the planned course of corrective action to be 
taken in the future. 



Some of the benefits that can be gained from an opera- 
tional audit include: [Ref. 25] 
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An otjective professional review of the comolete 
operations. 

2. A substantiated inventory ox weaknesses and unfavo- 
rable trends with some idea of the impact of these 
deficiencies or revenues and costs. 

3. An opportunity to evaluate present conditions, set 
targets for corrective action, commit financial and 
personnel resources and assign responsibility for 
accomplishment. 

4. Creation of an atmosphere for improvement and 
constructive thinking at all management levels. 

Operational auditing serves the needs of managers to be 
objectively informed about conditions in the units under 
their control. Managers need a means for detecting problems 
and opportunities for improvement. Operational auditing is 
a specialized management tool with a separate role from 
established management information sources. Its purpose is 
to create confidence that things are going well or to 
discover problems or opportunities for improvements on the 
basis of investigation. 

A key feature of operational auditing is that it is 
based on evidence--not personal opinion unsupported by 
factual evidence. Judgem ent is an essential part of the 
final results, but its value comes only after fac ts have 
been gathered and compared with standards. 

An operational audit is not designed to evaluate people 
nor oan it be expected to provide specific solutions to any 
particular problem or weakness. On the other hand, opera- 
tional auditors should make recommendations, based upon 
their experience, fcr corrective action. It must be made 
clear, however, that the recommendations are strictly propo- 
sals and such comments are to be acted upon or not acted 
upon only as management chooses. 

The auditor will encounter some situations in which no 
definite recommendation may be possible — either because of a 
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lack of qualifying experience or the facts may not permit a 
specific recommendation. Sometimes the most effective solu- 
tions require analysis and research into alternative courses 
of action. 

Table I presents some of the major characterics of 
financial and operational auditing. 

B. EVOLOTION OF IHTEBNAL AODIIING 

During its early history, internal auditing was used 
primarily to detect carelessness or other irregularities on 
the part of bookkeepers and others charged with the duty of 
recording transactions. If internal auditing had not grown 
with the change in character of business, it would net be of 
value to management today. It was recognized near the end 
of the nineteenth century that internal auditing could serve 
broader purposes than mere checks of accuracy of accounting 
and statistical data. Thus the profession began to develop 
in a direction which has led to its now being recognized as 
one of the outstanding branches of management control. 
£Ref. 26] 

Internal auditing refers to a series of processes and 
techniques through which an organization’s own employees 
ascertain for the management, by means of first-hand, 
on-the-job observation, whether (a) established management 
controls are adequate and effectively maintained; (b) 
records and reports — financial, accounting, and 

otherwise — reflect actual operations and results accurately 
and promptly; and (c) each division, department or other 
unit is carrying out the plans, policies, and procedures for 
which it is responsible. [Ref. 27] 

The internal auditor’s work involves constant surveil- 
lance of such functions as policies; accounting and oper- 
ating procedures; systems of internal control; care. 
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TABLE I 

Characteristics of Auditing Types 



financial Auditing 


Evaluates financial controls 
and transactions to express 
an opinion on financial 
statements as they disclose 
or do not disclose a 
true and fair view 

Requires judgement 

Measures against auditing 
standards and procedures 

A restrospective viewpoint 

Employs generally accepted 
accounting princxples 

Audit independence essential 

Opinion for outsiders and 
management 

Performed at least annually 


Operational Auditing 


Evaluates efficiency of use 
of resources, reviews inter- 
nal management systems and 
structure. Deals with all 
measurable aspects of the 
organization. 

Defines problems and oppor- 
tunities for improvement 

Requires judgement 

Based on evidence rather 
than opinion 

Management orientated 

Present and future 
operations 

Employs standards of the 
organxzation or industry 
for evaluating 
management performance 

Audit is independent 

Does not render opinions 

Periodically performed but 
with indefinite timing 
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protection/ storage, and destruction of records; 
storage cf the organizations valuables; reliability of locks 
of record and accounting and statistical reports; and 
compliance with all laws and regulations. 

The internal auditor must have facts as the basis of any 
report. These facts are obtained by a detail analysis of 
the situation. After reviewing the facts, the auditor must 
appraise them, make judgements on them using his knowledge 
of policies and objectives, and make recommendations for 
solving any problems found. Since the auditor has no 
authority tc implement solutions, he must convince manage- 
ment to do so. 

There is increasing interest in operational auditing on 
the part of internal auditors as well as by accountants in 
public practice. The development of internal operational 
auditing varies widely between organizations because of 
company size, size of audit staff, and degree of management 
acceptance. There is a need to get the concept of opera- 
tional auditing across to the operating personnel at all 
levels. This is important because a lack of understanding 
or an unwillingness tc give the recommendations fair consid- 
eration makes the audit effors worthless. [Ref. 28] 

An operational audit provides a service to the executive 
management by providing impartial appraisals of the perform- 
ances of operating groups to the extent of the auditors 
qualifications to render opinions. Efforts to help manage- 
ment to do a better job through aiding the understanding cf 
the economic factors in their decisions helps the organiza- 
tion as a whole. The objective of the operational audit is 
to see that management has at hand all the tools available 
to help in deciding which are most profitable alternatives. 
This may involve evaluating information flowing in to top 
management as well as the way it is handled by staff groups. 
Evaluating how objectives are being met must be done along 
with how these objectives were set in the first place. 
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C, RCIE OP AN OPEEA3IONAL AODITOR 

The role of the operational auditor is not a simple one. 
The ability to correctly identify operating problems and 
explain them to senior management often reguires a high 
order of skill. 

An auditor must get the willing cooperation of the 
people being audited. They must be convinced that the 

audit’s purpose is to help them. A way to begin is by 
sitting down with the manager or supervisor of the facility 
that is to be audited. An explanation of what action is 
planned and what accomplishment is expected should be made. 
The auditor should make an effort to learn what problems the 
people being audited might want to have studied. More prob- 
lems will be discovered during the audit if leading ques- 
tions are asked to get people talking about their jobs. 

The auditor must take the time necessary to do the job 
thoroughly. When time is limited, the activity should be 
divided into smaller operations to allow the auditor to be 
thorough with those that are audited. The auditor must be 
aware of the dangers of not understanding an operation well. 
Something which, on the surface, seems wrong may be all 
right in light of the facts. Conversely, something may be 
basically wrong that initially seems acceptable. When it is 
suspected that something is wrong, a recommended practice is 
to discuss the finding first with the person most directly 
concerned before approaching higher levels of supervision. 
Another suggustion is to try to recommend a solution to any 
problem discussed. After all, if a situation is thought to 
be wrong, there must be some associated idea of what is 
right. 

It is not uncommon to finish an operational audit and 
still feel that there were other things that should have 
teen done. At the beginning of the audit, auditors spend 
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the necessary time tc indoctrinate themselves. A lot of 
time is spent reviewing specific activities before they are 
understood well enough to know if suggestions are to be 
made. As an audit is completed, the audit program is 
revised to incorporate new steps deemed necessary. Ihese 
revisions are essential to ensure that what is accomplished 
is what should be accomplished . No matter how advanced or 
sophisticated a particular brand of operational auditing may 
be, there is rocm fcr improvement. A failure to plan and 
strive xcr that improvement is a failure to properly carry 
out the duties as auditors. 

0. FIAHHIfiG AN OPEBAIIONAL AODIT 

The output of an operational audit is either a report or 
a carefully structured briefing. This output must include 
all of the essentials about an auditor’s findings. An 
auditor must think about the report during the planning 
stage, plan what will go into the report and do audit work 
that will get the necessary information for the report if an 
efficient operational audit is to be done. 

Planning is an important part of every management under- 
taking, and is equally important in operational 
auditing. Thinking what needs to be done, setting it 
out in a plan, and then following that plan to conclu- 
sion is the best way to complete a job satisfactorily in 
the least possible time. To audit without a plan can 
result in a lot of false starts and wasted effort. 
Consequently, auditors should have a well thought-out 
plan £cr every assignment. [Ref. 29] 



This planning of the report, however, is begun after the 
auditor has observed conditions where it appears that costs 
can he reduced or results improved. The observed condition 
represents the basic premise around which a finding is 
built. Thus, it should be the focal point for the develop- 
ment of plans for conducting the audit and collecting the 
necessary itformation. [Ref. 30 ] 
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Preliminary survey work is usually needed for effective 
operational auditing planning. The extent of such prelimi- 
nary work depends on how familiar the auditors are with the 
activity or function being reviewed and whether an area for 
detailed audit has been identified. During the survey the 
following actions occur: [Ref. 31] 

1. The envisioned finding is identified and clearly 
defined. 

2. Sources of information are identified for use in 
developing the audit program report. 

3. Audit techniques for further development of the 
envisioned finding are tested. 

4. Staffing requirements and the scope of audit work, 
including audit sites, are considered. 

Several factors need to be considered when deciding the 
scope of the audit. One is whether the projects or trans- 
actions being audited are intended to represent a statis- 
tical sample so that audit findings can be projected to an 
entire program. The scope of work might also be influenced 
by available resources in terms of staff and dollars, and by 
the time constraints. The objective is to do only what is 
necessary to clearly show any possible bad effect and to 
develop a convincing case. Consideration should also be 
given to making pilot studies before embarking on a detailed 
audit. The pilot study at one or more locations would 
provide additional knowledge of operating procedures and 
test the proposed audit techniques. 

There are no step-by-step procedures for doing an opera- 
tional audit. There are, however, certain things that need 
to be done. While the approach is not as uniform as in a 
financial audit, it should at least be systematic. The 
planning should culminate in an audit program. Each pregram 
must be tailored to fit each audit, yet certain elements 
should be always present. The program should briefly 
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summarize the areas tc be a 
ment as to how the reguir 
It should also state the ex 
Because development of 
tionary process, audit p 
updated as work progresses, 
not as anticipated, the p 
discontinued. Any changes 
part of the program. Econ 
ones where plans are most 
progresses, so the planning 
For economy and efficie 
nizaticn to be examined is 
performed at less cost wit 
the work. For example, sup 
assignment of reviewing 
airline to see if the cost 
jeopardizing safety or de 
further supposition is that 
full of aircraft tires. In 
tires on hand to last the 
current rate of consumption 
planned. A finding that t 
and should reduce its inven 
The audit plan should 
illustration: £Bef. 32] 



udited and make a general state- 
ed information will be obtained, 
pected completion date, 
a finding is frequently ar. evolu- 
rograms should be periodically 
If conditions or findings are 
Ian must be revised or the audit 
to audit scope should be make a 
omy and efficiency audits are the 
likely to change as the audit 
of such audits must be flexible, 
ncy audits, the goal of the orga- 
whether certain functions can be 
hout degrading the end result of 
pose that an auditor is given the 
the maintenance function of an 
can be reduced without in any way 
grading passenger service. A 
the airline has a huge warehouse 
guiry shows that there are enough 
airline for five years at the 
. Now the auditors work must be 
he airline is overstocking tires 
tory will probably be visualized, 
be similar to the fcllcwing 



1. Authority Eeview delegations of authority to the 

maintenance department to see what 
authority they nave to buy tires, and 
whether they have exceeded their 
authori ty. 

2. Goal Determine what the goal of the mainte- 

nance unit is with regard to mainte- 
nance of tires. (It probably is to 
provide the tires needed to keep 

aircraft supplied with new tires wnen- 
ever needed without investing any mere 
money than necessary in tire inven- 
tory!. 
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3. Condition 



4. Effect 



5. Procedures 



This is 
the sur 
have fa 
this mu 
needs t 
how the 
and why 
te made 
reasona 



what the auditor 
vey. The airline 
r more tires than it 



St be checked out. 
o make inquiries 
airline acquired 
. A decision will 
regarding whether 
ble basis for doing 



observed in 
appears to 
needs--hut 



The auditor 
to find out 
these tires 
then have to 
there was a 
so. 



The auditor will want to compute how 
much can be saved by reducing the 
stock of tires to a reasonable level. 
This will probably include obtaining 
some criterion for determining what a 
reasonable level is. There might be a 
plan to see what other airlines use as 
a basis for stocking tires to get a 
criterion. As an alternative, a check 
could be made to see how long it takes 
tc reorder tires and base the stocking 
level criteria on what quantity is 
needed to provide stock between 
reasonable reorder periods. lor 

instance, it might be concluded that a 
three-months supply of tires plus a 
reasonable safety level is all that is 
needed to meet the maintenance depart- 
ment's goals and it might therefore be 
suggested that quantity of stock is 
the criterion for the inventory level. 



The auditor will want to find out what 
procedures have been extablished to 
control the quantity of tires 
purchased. Sucn orocedures should be 
designed to achieve the goal that the 
maintenance department has — presumably 
the procedures should require some 
method of determining that stocks on 
hand do not exceed the minimum neces- 
sary to keep operating aircraft 
supplied with new tires as needed. 



6. Cause The auditors work should look into 

what happened that resulted in the 
undesirable condition. ... 65 % of 

the time, it will be found that sound 

f rocedures exist but they are not 
ollowed. In some cases, procedures 
are improperly conceived and, if 
followed, will not produce the results 
intended by the goals established for 
the organization. 



While the above outlines the planning of such an audit, 
the work would not be done in that order. Item 3 would be 
performed first. Next, the steps needed to get information 
for items 1 and 2 would be performed. This is practical 
since ttis work takes relatively little time and the 
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information obtained from these steps can often explain away 
the condition found and indicate that everything is all 
right. Next, the auditor must find out what the procedures 
are for controlling tire inventories and determine whether 
there is significant effect. This is usually the time- 
consuming part of the work but, if there is not a signifi- 
cant effect, there is not much use going any further. Item 
6 (cause of the problem) would follow if the effect is 
determined to be significant. 

As mentioned previously, auditors will frequently 
discover in pursuing an envisioned finding that the condi- 
tion is not what was initially observed. When this happens, 
the audit program will generally need to be revised. To 
illustrate, suppose that the auditor learned that the 
company had recently acquired another airline and had also 
been authorized to add several more flights. Further 
suppose that in checking the requirements that many of the 
tires had been purchased (1) to cover the related expected 
increase in tire use, and (2) to provide an initial inven- 
tory for a new plane that was being put into service. Given 
these new requirements the tire supply may be justified. If 
this is the case, further audit work on this would not be 
warranted. 

If the auditors were very inquisitive and began 
wondering why all new tires were used and none were 
recapped, and they krew that recapping is common practice in 
the airline industry, they might visualize that the airline 
could save considerable money by recapping tires if it could 
be done without jeopardizing safety. This new picture of 
the finding requires a revision of the audit plan. The 
revised plan should be something like the following example. 
[Ref. 33] 

1. Authority Review the delegations of authority to 

see what responsibility the 
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2 • Go dX 



3. Condition 



4. Effect 



5. Procedures 



6. Cause 



maintenance department has been given 
for recapping tires and whether condi- 
tions may have been spelled out for 
recapping. 

Determine what goal, if any, the main- 
tenance unit has. If it is necessary, 
obtain evidence to establish an 
asserted goal. On the basis of infor- 
mation obtained from other airlines, 
the asserted goal might be to '*use 
recapped tires as often as the casings 
permit. '• 

It appears the airline could use 
recapped tires, but the auditors will 
need to assure that it can be done 
safely. This will require contacting 
ether airline companies to get infor- 
mation on their experience, the extent 
they use recapped tires, and their 
criteria for recapping. 

Ihe auditors will want to compute how 
much money can be saved by using 
recapped tires. They will need to 
obtain information cn the price cf new 
tires versus the costs associated with 
recapping. The auditors will also 
need to obtain information — from other 
airlines — to determine the average 
rumber of times a tire can be 
recappe d. 

The auditors will want to find out 
what, if any, procedures the mainte- 
nance department has for recapping 
tires. These procedures should 

provide criteria for determining how 
often and under what conditions tires 
can be safely recapped. 

Ihe auditors' work should be suffi- 
ciently extensive to determine why 
this condition has resulted. In this 
case it wculd appear to result from a 
lack of procedures for recapping 
tires. 



The audit steps and information requirements of this 
finding differ significantly from the initial audit plan. 
This example also illustrates the difficulties auditors 
encounter in doing operational audits. Even with the best 
planning, false starts often cannot be totally eliminated. 

Another planning consideration is the engagement letter. 
Ihe auditor often must start his engagement with a proposal. 
After planning and preparing the proposal letter, it becomes 
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the engagement letter when signed by the client. The fora 
and structure of this letter are critical. The introdu ction 
sets the tone for the entire letter. It should be formal 
and forthright. Specifics included in the opening paragraph 
are the date of the visit, the subject of the study and the 
names of all supervisory personnel encountered during the 
preliminary survey. The statement of the engagements basi c 
obje ctives is probably the most critical section. The 
objectives should be stated simply and concisely in terms of 
the clients definition of the problem or opportunity. The 
approach should be a clear and specific statement of the 
work plan. It should omit nonessential details. Unless the 
anticipated benefits are stated clearly and confidently the 
client might infer that there are doubts in the auditors 
mind. Frequently in proposals to government agencies there 
is a section presenting the profe ssion al guali f ica tions of 
the auditors. The co nclus ion should end in a positive vein 
£Ref. 34]. This discussion pertains to management services 
but will apply equally well to proposals and engagement 
letters for operational audits. Public accountants require 
an engagement letter for approval to continue the audit 
beyond the preliminary survey and testing of management and 
internal control. In most government audit agencies, since 
the law requires that examinations be made, the approval 
that must be obtained for continuing the audit is from a 
higher-level authority in the audit agency. 
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71. PHASES OP THE AO^T FONCTION 



A. IHTHCDDCTIOH 

To he successful an audit must be conducted within a 
sound conceptual framework with flexible procedures. Such 
an audit requires analytical ability, ingenuity, and system- 
atic procedures. Each operational audit is unique. There 
is no common approach and the factors to be considered will 
vary as much as the approach. Some elements that suggest a 
starting place are these: goals and objectives, plans, 

organization, operations, controls, systems and procedures, 
staffing, facilities, reports, policies, and communications. 

Although the sources of information that are available 
to an operational auditor depend upon the auditors skill, 
experience and training, some sources are common. The 
peo ple in the unit being audited are the prime source. A 
well-conducted interview is often the most efficient tool 
available. 

In te rnal doc umen t ation can also oe a major source of 
information. Organization manuals, organization charts, 
staff memos, policy manuals, training manuals, and adver- 
tising brochures are some of the documents that may be 
useful in addition to the financial, production, cost and 
budget ones. The auditor should start the accumulation of 
documents early in the assignment. 

D ir ect obs ervat icn is another productive source of 
information. By consciously observing, the auditor becomes 
aware of problems that are not reflected in data. 
Observation is also a source of specific examples that can 
be used to illustrate general conclusions. 
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According to Lindberg, each audit assignment 
following phases: [ Bef . 35] 



1. De fi nition and organi nation. The first step in an 
operarions au"aif is To identify the areas ana scooe 
of the study. 

2* Pr eparat ion. The next step is for the auditor to 
Become^amiliar with corporate plans# policies# and 
organization as they relate to the unit or area to 
te reviewed and to acquaint himself with relevant 
industry information. 

3. Initial survey* The auditor should become oriented 
in“fne fieI3 within which work is to be done through 
discussions with key people there. At this stage 
the auditor samples aspects of the work and the 
environment of the field of inquiry. 

4. Resea rch . After becoming familiar with the field of 
Inquiry. the auditor systematically uncovers the 
facts about the operations# assignments of responsi- 
bility# and plans and management of the area. This 
stage requires being on guard against attempting to 
dig out all the facts. Since it is probably impos- 
sible to get all of them, the auditor should concen- 
trate on getting the key facts and those that are 
readily available. They will suffice for the anal- 
ysis. 

5. Analy sis . After gathering the key facts and enough 
ad'ditional infcimation to justify the formation of 
conclusions# the auditor is in a position to analyze 
and to decide whether the results of analysis 
indicate true opportunities for the making of 
impro vemen ts. 

6. Repor tin g . At this stage the auditor sums up the 
IiMings in writing and takes care to define the 
uncovered problems as meaningfully as possible in 
specifics and costs. Althougn report preparation is 
customarily regarded as the rinal step, the auditor 
will be well advised to start it on the first day; 
the surest way to drag it out is to wait until the 
end of the study. It is also beneficial to discuss 
findings with the manager of the auditing department 
before submitting the report to a higher level. 

7. Justi fic ation . This is the last step in a study# 
oTfen~tSe T533t critical. At this point such chal- 
lenges as have arisen to the accuracy or worth of 
the findings are countered orally by the operations 
auditor# usually in executive meeting. 



To reach the audit objective the auditor must include 
all of the above steps which can also be characterized as: 



1. The preliminary survey 

2. The review of management control 
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3. Th€ detailed examination 

4. The report development 

These four phases are comparable to the five steps given 
by the American Institute of Certified Public Accountants 
for conducting performance evaluations; 

1. Ascertaining the pertinent facts and circumstances 

2. Seekirg and identifying objectives 

3. Defining problem areas or opportunities for improve- 
ment 

4. Evaluating and determining possible improvements 

5. Presenting findings and recommendations [Ref. 36] 



B. THE PRELIHINABI SORVZY 

During the prelic inarv s urve y phase/ the auditor quickly 
obtains background and general information on ail aspects of 
the organization being considered for examination. The 
working knowledge of the entity gained during this phase is 
not evidence--it is simply descriptive information. It 
includes historical and operating information as well as 
legislative information on governmental organizations. 
Certified Public Accountants (CPA) approach the preliminary 
survey a litle differently from governmental auditors- They 
must plan for a request for proposal for the contract for 
the engagement, as well as prepare for gathering background 
information. The ccnclusicn of this phase becomes the 
objective for the next phase. It also becomes the basis for 
determining how to obtain evidence and how much evidence is 
needed for the phase that reviews management control. 
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c. 



THE BEVIEW OF HAHAGEMENl CONTROL 



One purpose of the second phase is to obtain evidence on 



the three elements of the tentative audit objective 

criteria, cause and effect. C riteria represent the stan- 
dards for the audit. C^ses represent management or 
employee actions that took place or should have taken place 
to carry out the appropriate standard. And effects repre- 
sent the results of the measurement of the causes against 
the criteria. The term management control as used here 
includes planning, policy, and procedures determination, as 
well as the actual practices carried out in managing an 
organization’s affairs. Management control promotes the 
effective carrying out of assigned responsibility as 
intended. By obtaining evidence on the tentative audit 
objective, the auditor determines whether there is a basis 
for a detailed examination. By determining the competency 
of the evidence, the auditor can also determine the reli- 
ability of the information to be obtained from the manage- 
ment control system. 



Any good management control system follows these steps: 
setting standards, objectives, goals, or procedures, 
determining whether the standards, objectives, goals, or 
proc€dures have been appropriately carried out; 
appraising the results of such carrying out: and then, 

when necessary, taking corrective action. The principle 
underlying these steps is that no one person should be 
in complete control of any important part of the opera- 
tions of the system. [Ref. 37] 



The basic 
procedures 
or item. 



approach is to review 
and practices applied to 



the specific flow of 
a specific transaction 



E. THE DETAILED EXAMINATION 



det aile d examination phase of 
usually thought of as the audit. 



the audit 
The prior 



function is 
two phases. 
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however/ determine what is to be done and how it is to be 
done. Eeporting the results of the audit of management’s 
performance concerning efficiency and economy will be 
discussed in the next section. 

The evidence gathered during the detailed examination 
must be sufficient as well as competent, material, and rele- 
vant in order for the auditor to arrive at an acceptable 
conclusion on the audit objective and then report that 
conclusion. Interviewing knowledgeable persons generally 
provides substantial amounts of information that can be used 
as evidence. The information so obtained may also be used 
to supplement, explain, interpret, or contradict information 
obtain by other means. 

The emphasis in operational audits in data processing 
environments is shifting from the evaluation and verifica- 
tion of processing results (e.g. data files, records, 
reports) to the evaluation and verification of the controls 
that ensure the continuing accuracy and reliability of 
processing results. This emphasis is resulting in new audit 
approaches and techniques. Many of the controls that ensure 
the accuracy and completeness of data processing results are 
now automated and can no longer be reviewed and verified 
through direct observation. 

Changing application systems structure presents new 
problems for auditors. [Ref. 38] 

1. Input transactions are being entered for immediate, 
on-line processing from remote terminal locations in 
contrast to the single-entry point batch input, 
typical of earlier years. 

2. Applications are being tied together so that a 
single input transaction performs multiple func- 
tions. Transactions are also being generated within 
an application program and automatically flow into 
others. 
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3. Audit trails ic hard copy form are being eliminated. 
For example, detailed lists of input transactions 
and periodic master data file listings are being 
replaced by transaction logs on magnetic tape that 
can he printed if a need arises, and by interroga- 
tion cf on-line data bases. 

Auditing in this environment should include a review of: 
[Ref. 39] 

Manual procedures that have been developed to conplement 
controls internal to computer applxcation programs 
(e.g., input preparation, input control, error handling, 
and output balancing and reconciiliation) . 

Application system controls internal to computer appli- 
cation programs (e.g., data validation, control total 
verification, batch or transaction balancing and 
proofing, ana error identification and reporting) . 

Data files and reports produced as a result of computer 
application processing (e.g., data processing master- 
files, transaction logs, and output reports) . 

Auditing these areas includes a review of controls to 
determine their adequacy, tests to verify controls, and 
tests to verify data (i.e., masterfiles and reports). 

E. THE EERCBT DEVELCEMENT 

All work done in the audit function leads to this phase. 
The conclusion to the audit objective, which has been devel- 
oped in the detailed examination phase from evidence gath- 
ered in that phase, is converted into a form that an 
interested third party can accept and understand. There is 
no standard way for presenting results of an operational 
audit. There are seme basic ideas, however, on ways to 

present the results. 

The ’’report controls” standard for government economy 
and efficiency audits and program results audits is 

presented below. £Hef. 40] 
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The report shall include: 

1. A description cf the scope and objectives of the 
a u di t . 

2. A statement that the audit was made in accordance 
with generally accepted government auditing stan- 
dards. 

3. A description of material weaknesses found in the 
internal control system (administrative controls). 

4. A statement of positive assurance on those items of 
compliance tested and negative assurance on those 
items not tested. This snould include significant 
instances cf ncncompliance and instances of or indi- 
cations of fraud, abuse, or illegal acts found 
during or in connection with the audit. However, 
fraud, abuse, or illegal acts normally should be 
covered in a separate report, thus permitting the 
overall report to be released to the public. 

5. Eeccmmenda tions for actions to improve problem areas 
noted in the audit and to improve operations. The 
underlying causes of problems reported should be 
included to assist in implementing corrective 
actions. 

6. Pertinent views of responsible officials cf tne 
organization, program, activity, or function audited 
concerning the auditors’ findings, conclusions, and 
recommendations. When possible their views should 
be obtained in writing. 

7. A description cf noteworthy accomplishments, partic- 
ularly when management improvements in one area may 
be applicable elsewhere. 

8. A listing of any issues and guestions needing 
further study and consideration. 

9. A statement as to whether any pertinent information 
has been omitted because i is deemed privileged or 
confidential. The nature of such information should 
be described, and the law or other basis under which 
it is withheld should be stated. If a separate 
report was issued containing this information it 
should be indicated in the report. 



All reportable results should be comparable to the audit 
results, and should be stated in terms of criteria, causes, 
and effects. Thus, the auditor will state the criteria in 
terms of an appropriate standard for the activity, the 
causes in terms of what were the actual happenings at the 
time the audit took place as well as what should have been 
happening and the significance of the results on not 
carrying out the appropriate standard. 
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Reconniendations are usually brief suggestions by the 
auditor as to what should be done to bring about inprove- 
ments in performance. Recommendations are not recuirements 
set by the auditor as to standards that should be followed 
by the entity. The management of the organization has the 
responsibility for requiring recommendations to be fcllcwed; 
all the auditor can dc is suggest the basis for improvement. 

Before preparing a final report, the auditor usually 
prepares a draft report, which is submitted to the organiza- 
tion concerned with the audit, for their comments in crder 
to be sure that the report is fair, complete, and objective. 
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tables II, III, IV, and V [Bef, 41] 
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TABLE II 



The Prelimiuary Survey 



PHASE CNE 

1. Ottain in a relatively short period of time 
hackground and general information on 
organization and management activity 
being considered for examination. 

2. Analyze background and general 
information to obtain relevant 
evidence--not necessarily sufficient, 
material or competent — oh one or more 
elements--criteria, causes, or effects — of a 
possible audit objective. 

3. Assert the other element or elements in 
order to have a tentative audit objective. 

4. Assert alternative criteria and other 
elements on related management activities 
to establish possible alternative audit 
objective. 

5. If possible alternative objective is to be 
considered, ottain relevant evidence, if no 
evidence has previously been ootained, on 
one or more elements or the possible audit 
objective in order to have alternative 
tentative audit objective. 



6. Summarize evidence and assertions on 
tentative audit objectives. 

7. Conclude from relevant evidence and 
assertions: 

a) that original or alternative 
tentative audit objective can be used 

as the objective for the review phase, if 
relevant, material- and competent 
evidence can be obtained on all three 
elements of the tentative objective, and 
(1) what types of relevant material and 
competent evidence will be needed to 
determine the audit objective, and (2) 
what types and how much evidence 
will be needed to determine 
competency of evidence. Proceed to 
review, or 

b) that tentative objectives cannot be used 
because evidence would not be 
available or that conditions do not 
warrant continuation. Withdraw from 
engagement. 
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PHASE TWC 



TABLE III 

The Eeview of Hanagement Control 



1. Ottain any needed additional background 
information. 

2. Obtain relevant, material, and competent 
evidence — not necessarily sufficient — on 
tentative audit objectives by testing 
management control to determine: 

a) that there could be a reasonable 
criteria, 

b) that some particular person or group of 
persons at one or more levels or 
responsibility could cause an inefficient 
operation, ana 

c) that the effects of the inefficient 
operation are significant. 

3, Obtain evidence from management control 
system on the competency of evidence that 
must come from system if additional work 
is to be done, 

4, Determine that evidence could not be 
obtained on all three elements of the 
tentative audit objective. 

5, Summarize evidence and conclude; 

a) whether the developed tentative 
audit objective can be a firm 
objective to be used in the detailed 
examinaticn phase, 

b) whether evidence that must be 
obtained would be competent, and 

c) what additional evidence must be 
obtained and from what source to have 
sufficient competent, material and 
relevant evidence to come to a 
conclusion on the audit objective. 

Proceed to detailed examination, or 

d) that auditor should withdraw from 
examination. 
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TABLE I¥ 

The Detailed Examination 



PHASE TH ESE 

1. Ottain any additional background data 
needed. 

2. Ottain sufficient competent^ material, and 
relevant evidence to determine; 

a) the acceptability of the criteria of the 
audit objective and that any 

argument against the criteria can be 
rebutted , 

b) the specific action or lack of action at 
levels involved in the management 
activity that caused the efrects, and 

c) the significance of the effects. 

3. Summarize evidence in terms of criteria, 
causes, and effects. 

4. Conclude from the summarized evidence 

that the effects in the management activity 
were significantly inefficient when the 
actions of employees and management are 
evaluated against the criteria. Proceed to 
report development. 

5. Conclude that sufficient evidence could not 
be obtained to determine an appropriate 
criteria on the management activity, 
determinable causes, or significant effects 
or that other conditions warrant that the 
auditor should withdraw from engagement. 
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TABLE 7 

The Report Development 



PHASE fOOR 



1. Set the scene through background or 
general inxoriration or through scope of 
audit. 

2. Communicate conclusion, stating the 
significance of the effects caused by not 
following a proper standard. Sufficient 
evidence on criteria, causes, and effects 
should be given with the audit objective for 
the reader to come to same conclusion as 

the auditor. 



3. 



State recommendations, usually 
criteria should be followed in 
obtain best results. 



that the 
the future 
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VII. COBSIDERATIOHS FOR AN OPER ATIO NAL A UDI T OF A NAJDAC 

A. OVERVIEW 

Ad operational audit of a NARDAC can provide a vital 
check and balance on the organization as it attempts tc meet 
cost and service goals. The basic purposes of the audit are 
to ensure that measurable standards for systems development 
and operations functions have teen developed; to ensure that 
these standards are being adhered to by the various depart- 
ments; to ensure that systems are designed to be easily 
auditable and that maintenance changes do not create unin- 
tended problems; and to act as a catalyst for improving 
operating efficiency. 

The NARCACs are incredibly complex. The governing regu- 
lations are intricate and perpetually changing. The prag- 
matic civil service management tacks new procedures onto the 
old and maintains the same basic work patterns. The civil 
servants are a force for continuity in this dynamic opera- 
tion. In contrast, the military managers are invariably 
committed to change. When making recommendations for 
improvements as the result of an operational audit, the 
auditor must be aware that what can be done in and by a 
NARDAC is limited by the legal and political framework in 
which it functions. The lack of administrative continuity 
increases the need for an effective internal control system. 

B, IITEENAl CONTROLS IN FEDERAL GOVEHNilENT 

In 1S50, the Accounting and Auditing Act was passed 
requiring, among other things, that agency heads establish 
and maintain effective systems of internal control. Since 
then, the General Accounting Office (GAO) has issued 
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numerous publications to guide agencies in establishing and 
maintaining effective internal control systems. While the 
need for improved internal controls has continued, develop- 
ment of effective systems has teen slow. 

In the past decade, numerous situations came to light 
that dramatically demonstrated the need for controls as the 
government experienced a rash of illegal, unauthorized, and 
guestionatle acts which were characterized as fraud, waste, 
and abuse. It is generally recognized that good internal 
controls would have made the commission of such wrongful 
acts more difficult. Consequently, increased attention is 
being directed toward strengthening internal controls to 
help in the restoration of confidence in government and to 
improve its operations. 

The Federal Managers’ Financial Integrity Act of 1S82 
requires renewed focus on the need to strengthen internal 
controls. The act requires periodic evaluation of agency 
internal control systems and that the heads of executive 
agencies report annually on their system status. These 
evaluations are to be made pursuant to the "Guidelines for 
the Evaluation and Improvement of and Reporting on Internal 
Control Systems in the Federal Government," issued by the 
Office of Management and Budget in December, 1982. The 
reports are to state whether systems meet the objectives of 
internal control and conform to standards established by 
GAO. 

St andards for Internal C ontrol s in the Fe deral 
Gover nmen t, issued by GAO, presents the internal control 
standards to be followed, and covers both the program 
management as well as the traditional financial management 
areas. GAO will issue interpretations and revisions to the 
standards as may become necessary. 

The following is GAO’s concept of internal controls; 
CRef. 42] 
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The plan of organization and methods and procedures 
adopted by management to ensure that resource use is 
consistent with laws, regulations, and policies; that 
resources are safeguarded against waste, loss, and 
misuse; and that reliable data are obtained, maintained, 
and fairly disclosed in reports. 



The GAO general internal control standards apply tc all 
aspects cf internal controls. Table VI is an outline of the 
standards: [Ref. 43] 



TABLE VI 

GAO General Internal Control Standards 



Reas ona ble Assurance. Internal Control Systems 
are To'provi'de reasonable assurance that the 
objectives of the systems will be accomplished. 

2. SuDccrt a tive attitude. Managers and employees 
are to" maintain and demonstrate a positive and 
supportive attitude toward internal controls at 
all times. 

3. Co mp ete n t Pers onnel . Managers and employees 
are fo~Eave personal and professional integrity 
and are to maintain a level of competence that 
allows them tc accomplish their assign duties, 

as well as understand the importance of developing 
and implementing good internal controls. 

Cont rol Object ives . Internal control objectives 
are to~be identified or developed 
for each agency activity and are to be logical, 
applicable, and reasonably complete. 

5. Co ntrol T ech n iques . Internal control techniques 
are to "be exfecti ve and efficient in accomplishing 
their internal control objectives. 



It is essential to 
control objectives will 
gues are the specific 



provide assurance that the internal 
be achieved. These critical techni- 
standards outlined in Table VII. 



[Bef. 44] 
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TABLE 7II 

GAO Specific Internal Control Standards 



1. Dccu cen ta tion. Internal control systems and 

all ffansacf rcns and other significant events are 
to be clearly documented, and the documentation is 
tc be readily available for examination. 

2. Reco rdi ng of Tra nsa ctions a nd Events. Transactions 
ain ofner significant events are to be promptly 
and properly classified. 

3. Execution of Transactions and Ev ents. Transactions 
and ctEer significants vents are to be authorised 
and executed only by persons acting within the 
scope of their authority. 

4. Separation of Euties . Key duties and responsi- 
fliitTes in autEdrizing, processing, recording, 

and reviewing transactions should Be separated among 
indi vidua Is. 

5. Supervision. Qualified and continuous supervision 
is to~Be provided to ensure that internal control 
objectives are achieved. 

6. Access to and Accou ntability for Res ource s . 

Eccess to resources and records is to Be“Iimited to 
authorized individuals, and accountability for the 
custody and use of resources is to be assigned and 
maintained. Periodic comparison shall be made of 
the resources with the recorded accountability tc 
determine whether the two agree. The frequency of 
the comparison shall be a function of the vulner- 
ability of the asset. 



Auditors are responsible for following up on audit find- 
ings and recommendations to ascertain that resolution has 
been achieved. Table ¥III presents the Audit Resolution 
Standard. [Eef. 45] 
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TABLE VIII 

GAO Audit Resolution Standard 



B eso luti on cf Audit Finding s, Managers are 
lo Itt cxomp'EIy e valu^e~finaings and r ecommendaticns 
reported by auditors, j[2) determine proper actions in 
response to audit findings and recommendations, and 
(3) complete, within established time frames, 
all actions that correct or otherwise resolve the 
matters brought to management's attention. 



C. ISIEBHAl CONTROLS IN THE DATA PROCESSING EN7IRCNMENT 

Internal controls in the data processing environment 
pertain to the processing and recording of an organization's 
transactions and to resulting management reporting. They 
are the procedures that ensure the accuracy and completeness 
of manual and automated transactions, records, and reports, 
and the avoidance, detection, and correction of errors. 
They encompass source document origination, authorization, 
processing, data processing record keeping and reporting, 
and the use of data processing records and reports in 
controlling an organization's activities. 

The "Data Processing Audit Practices Report," issued by 
the Institute of Internal Auditors, presents an overview of 
the elenents of internal control in the typical data 
processing function. These elements are applicable to a 
NARDAC in addition to general controls needed by any organi- 
zation. These elements are: [Ref. 46] 

Computer application systems, which encompass manual 

P rocedures to originate and transmit input transactions 
o the data processing department; computer application 
programs that control the processing of transaction 
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data, record maintenance, and output report preparation; 
and procedures that guide computer service center 
personnel in the use of specific computer application 
programs and the handling of the associated input data 
and output reports. 

Computer service center operations, which encompass the 
facilities, equipment, personnel, and general procedures 
that gcvern computer center operations, as opposed to 
procedures specific to individual application systems. 



Application systems devel 
personnel and general pr 
development, testing, a 
procedures and computer 
up computer application 
includes the raodificatio 
computer applicaticn prog 



opment, which encompasses the 
ocedures governing tne design, 
nd implementation of the manual 
application programs that make 
systems. This element also 
n and improvement of existing 
rams. 



The three data process 
nized, and managed to achie 
system objectives. They 
example, systems developm 
availability of process 
resources. In contrast, 
increased and special fea 
systems development require 
A similar in terdependen 
cation systems and the co 
designed application progr 
operations. Intervention r 
to be error prone and to m 
computer resources. Compu 
have a significant impact u 
Poorly or inadequately trai 
processing problems that 
their users. Inadequate 
service center can cause or 
in the preparation, schedul 
actions, data files, and 
errors can defeat the inten 
application programs, at 
development time and money. 



ing elements are planned, orga- 
ve various management information 
are also interdependent. For 
ent may be constrained by the 
ing capacity or specialized 
processing capacity may be 
tures added to accommodate new 
ments. 

cy exists between computer appli- 
mputer service center. Poorly 
ams can degrade overall center 
equired by center personnel tends 
ake inefficient use of expensive 
ter service center operations can 
pon computer application systems, 
ned staff are frequent causes of 
affect application systems and 
procedures within the computer 
allow errors to pass undetected 
ing, and handling of input trans- 
output reports. Such undetected 
t of controls built into computer 
considerable expense in terms of 
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D. 



THE fEBSONNEL SYSTEM 



When the Federal staffing process requires several 
months to routinely fill a position, the process is a 
disservice to mission accomplishment. The regulations exist 
to prevent abuse of privileges, but the result is often less 
flexibility for the responsible manager. 

Before action can be taken to hire, transfer, promote, 
reassign or demote a civilian at a NAEDAC (or any Federal 
government job) , a formally established position description 
(PD), classified in accordance with laws and regulations, 
must exist for the job. A PD provides information on the 
principal duties, responsibilities and supervisory relation- 
ships of a position. This information is used primarily for 
classification purposes, tut has other functions as well. 
PD's can help to detect duplication of work or overlapped 
duties; analyze training needs; and help to determine stan- 
dar(^s of performance. Because PD’s affect so many personnel 
practices, they are an important source of information for 
the operational auditor. 

A vital part of the Federal staffing process is evalua- 
tion of a new employee during the probationary period. 
Separation of an inadequate employee is more difficult after 
the probationary period, and the employee could remain on 
the payroll for many years as a marginal producer. An 
employee who completes a probationary period can never be 
required to serve another such period. 

E. PBODDCIIVITY CONSIDEBATICNS 

Before a manager can increase productivity, productivity 
has to be defined. Performance objectives are tools that 
are applicable only in settings that demand accountability 
and that reward performance. One major difference between a 
NAEDAC and a similar organization in private industry is in 
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the degree ry which either would benefit from an operational 
audit. Much of a NflSDAC’s productivity problem may really 
be a problem of law. 

In "Coping with the Employee Turned Institution," 
Jeffrey Davidson, discusses the phenomenon of the employee 
in a Federal position who has effectively ceased to function 
in the position to which hired or promoted. Davidson gives 
details of how to identify such an employee and what to do 
about one. [Bef. 47] 



There exists in . . . large organizations at least one 
employee who has effectively ceased functioning in the 
role or position for which . . . originally hired, or 
to which . . . prcffioted. This type or employee turned 
institution is acclimated to all the ways or getting 
through each workday contributing an appearance of being 
on top of the job. 



The personnel, managemen 
procedures within federa 
desired. The possibility 
institution within any or 
or reasons. One reason 
specific knowledge or ski 
readily acquire from oth 
have devexoped a particu 
periodically, is cf vi 
Frequently, an employee 
organization simply becau 
no one (not even the sup 
willing to expose, the e 
cation and limited effect 



t, and monitoring systems and 

I government leave much to be 
that an employee can become an 

ganization stems from a variety 
IS that the employee possesses 

II that the organization cannot 
er sources. The employee may 
lar expertise that, at least 
tal importance to operations. 

turns "institution" within an 
se iSe or sne is allowed to, and 
ervisor) is cognizant of, or 
mployee’s general lack of dedi- 
iveness on the job. 



Usually when an employee turns institution the occur- 
rence IS due, in part, to a lack of awaren ess on the 
part of one key manager or supervisor. TEaf one key 
person having Knowledge of tne employee’s true wcrk 
habits and operating procedures, wouid not allow such a 
practice to exist. The employee turned institution 
promotes mediocrity; when ccnrronted with an idea that 
might be good for the organization but would involve 
real work, the employee will often respond with idea- 
killing phrases like "We've tried that before," or, 
"That never works." 



While the employee may make no significant contribu- 
tions, rest assured that he or she will be well informed 
of organization policies and procedures, and will dc 
whatever possible to stretch tne policies for personal 
advantage. The employee turned institution can flourish 
only when otherwise good managers and supervisors refuse 
to see the true picture. The employee must be stopped 
cold, before having a chance to; 



1. lower productivity, 

2. Demoralize other employees. 
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3. UDfavorably iurlaence other employees, 

• 4. larrish the organization’s image to outside parties. 

This pheromenon of the employee turned institution 
occurs frequently, throughout the federal government, 
since it is dirricult to remove an employee from a 
federal position. 

F. BABEiC LEAD- ACTIVITY APPROACH 

Because ADP technology changes so rapidly and ADP 
resources are scarce, individual NARDACs have been assigned 
the lead responsibility in specific aspects of the tech- 
nology. For example, NAEDAC Norfolk has been tasked by 
NAVDAC with the responsibility of providing client support 
for the acquisition and use of microcomputers. In response 
to this tasking, it has developed a Technical Reference 
Library and Software Exchange Center. It has established a 
microcomputer user group, and it also performs ongoing 
hardware/scftware evaluation programs. This lead activity 
has also prepared reports on the subject of Low-cost 
Expandable Microcomputer Systems, also known as the LEMS 
Project. This lead assignment approach has distinct advan- 
tages to the customer activities and the NARDACs. It 
enables all NARDACs tc keep abreast of the state of the art 
while avoiding costly duplication of effort. Moreover, it 
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G. CCNCIOSIONS 

Every manager must have a means for readily identifying 
and accurately defining emerging problems before they become 
institutionalized. The motive for operational auditing is 
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that it is an efficient source of information about 
sophisticated problems facing a manager. 



The manager’ 
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[Ref. 48] 



more difficult and challenging 
the mathematician, the physi- 
n management, many more signif- 
taken into account. The 
he factors are more complex, 
r scope. The non-linear rela- 
he course of events are acre 



As more authority is delegated it becomes increasingly 
difficult for top management to keep informed on how well 
its programs and policies are being carried out. 
Operational auditing provides information needed by top 
managers who can not be personally informed about all areas 
for which they are responsible. Without a means for objec- 
tively measuring performance, managers may spend toe much 
time doing the wrong things--things that might make them 
look gcod on the surface but which actually are not good for 
the organization. 
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Till. PERFORMING TBE ADDIT 



A. PDRPCSE OF THE ADDIT 



The NARDACs becace Navy Industrial Fund (NIF) activities 
at the beginning of fiscal year 1984. NIF activities are 
required to bill custcmers, using a stabilized rate, for the 
ADP services rendered. Commander, Naval Data Automation 
Command (CCaNAVDAC) approves the number and kind of rates to 
be established. These rates are expected to remain in 
effect for an entire fiscal year. Any variance between 
stabilized rate billings and actual costs become profits or 
losses to the NIF activity and are absorned by the corpus. 
The goal, however, is total cost recovery, generating 
neither profit nor less. Because all costs are passed cn to 
the customers, efficient and economical operations are a 
major concern. The customers should not be required tc pay 
for inefficiencies. Thus, an operational audit is critical 
to the identification of areas in need of improvement. 

The NARDACs have teen studied for potential contracting 
out of the services new performed by government civilian and 
military personnel. Plans are being made for an internal 
reorganization to allcw for governmment management and moni- 
toring of the operations after the contract has been let. 
Rhen contracting for services, the government has to specify 
acceptable standards of operations. An audit would help to 
define the needed criteria and provide a means to evaluate 
these criteria that will be applicable to the contractor. 

The commanding officer of the NARDAC would be the rece- 
pient of the audit report except when the audit has been 
conducted at the direction or request of CCMNAVDAC. In that 
case, the report would be made to COMNAVDAC. 
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Effective, efficient, and economical use of the computer 
resources at a NARDAC requires ongoing coordination among 
management, computer users, and auditors to bring this 
powerful tcol intc proper perspective and under close 
control. Vast amounts of data have been concentrated in a 
few ccmputer centers. This condition has resulted in virtu- 
ally total dependence upon the computer. To minimize the 
potential vulnerability for loss associated with this depen- 
dence requires a greater degree of audit involvement than 
previously required. Data processing equipment, software 
and personnel are expensive. These costs and the potential 
for loss, destruction, or misuse of these resources must all 
be considered when reviewing the internal controls and 
security required fcr the Electronic Data Process (EC?) 
facility. 

Unlike auditing in the traditional sense, operational 
audits concentrate on the utilization of resources, also 
paying considerable attention to information systems and 
internal organization and procedures. There is seme 

overlap, however, of financial audits and operational 
audits. Beth, for example, review the systems and proce- 
dures of internal control. Operational auditing also 
provides detailed reviews of other areas such as space 
utilization, purchasing practices, hiring practices, and 
management decision making. Operational auditing provides a 
means to determine whether employees are giving their best 
efforts or whether costs can be lowered. 

B. POBPCSE OF THE ADEIT GOIDE 

The purpose of this guide is to provide uniform instruc- 
tions and guidance to personnel engaged in auditing EDP 
facilities at a NABEAC. This audit guide (program) is a 
result of the increased emphasis being place on management 
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of and control over the Navy's SDP facilities. The guide is 
designed to include organization, facility internal 
controls, maintenance, security, resources and contingency 
planning, and user billing/ chargeout procedures. Audits at 
a NAEEAC may involve cnly the NARDAC or include reviews at a 
number of customer activities. The extent of detailed work 
to be accomplished will depend on the quality and extent of 
the services provided to customer activities. The au ditor 
will de termine the order and ex^nt of audit coverage neces - 
sary for t^ particular NASD AC bei ng audited. The audit 
steps are intended to lead the auditor into the more impor- 
tant aspects of the NARDAC management but are not intended 
to be restrictive or to serve as a substitute for initia- 
tive, imagination, and judgment. 

The objectives of EDP facility audits are to: 

1. appraise the adequacy, efficiency, and reliability 
or the EDP facility, including training programs, 
security, and processing controls; 

2. determine the extent and adequacy of application 
system procedural controls; and 

3. Evaluate procedures, standards, and controls over 
local program development. 

The audit guide provides a standardized audit approach. 
It is, however, only to aid the auditor during the audit 
process--nct to direct every step. The auditor must still 
rely on experience, intuition, and preliminary results of 
the audit in determiring the full scope of the audit. The 
objective of this guide is to organize the audit approach, 
reduce preparation time, and ensure a level of completeness 
on the audit. This guide is primarily a result of adapting 
audit programs issued by the Naval Audit Service. (The 
Naval Audit Service designs audit programs that provide 
comprehensive guidance for auditing selected functions.) 
ether guides can be obtained in the following ways: 
[Ref, 49] 
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1. From associations such as: American Institute of 

Certified Public Accountants, The Institute of 
Internal Auditors, Bank Administration Institute, 
Canadian Institute of Chartered Accountants. 



2 . 



3 . 

4. 



From major certified public accounting firms and 
chartered accounting firms. 

From organizations supplying manuals and an updating 
service such as: Auerbach, Datapro, FAId. 



From publications such as Se curi ty, A ccurac y , and 
Privacy in Com put er Sys’fems “py Uames Martin 
T Ff entice - Ball T~Tg^r~AF IP'S "Systems Rev iew Manual on 
Security . AFIPS, MontvaIe,“NT J. “(T974J;' Com pu ter 




Audit guides obtained from the above sources can be 
modified to meet the specific needs of the organization. It 
is recommended that two or more audit guides for one area be 
obtained. At that time . . . auditing personnel can 
combine the questions and approaches on the audit guides 
with their own knowledge of the organization in that area. 
This would result in an audit guide meeting the specific 
needs of the organization. A data processing background is 
necessary to effectively use this auditing guide. Without 
this hackground, the auditor will not comprehend the impor- 
tance of or meaning behind some of the items in the guide. 



C. GEIEBAL IHSTBOCTICNS 



In performing an audit, the auditor should proceed as 
follows : 



1. Establish the purpose and scope of the audit. 

2. Make necessary modifications to the audit program 
based on the particular audit objectives. 

3. Perform an initial survey, interviewing NARCAC 
maragement to obtain background information; to 
gather documents describing the NARDAC organizat icn^ 
their equipment and applicable Department or 
Defense, Secretary of tae Navy, Chief of Naval 
Operations, and Commander, Naval Data Automation 
Comand Instructions detailing standards; and to gain 
an understanding of the NASDAC policies and stan- 
dards. 

4. Conduct a review of management controls. Interview 
and gather data from NSRDAC customers and NARDAC 
employees. 

5. Perform a detailed examination of operations. 
Analyze the data, making additional examinations and 
evaluations as required. 
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6. Write a final report indicating the conclusicns 
drawn from the audit and supporting each conclusion 
by the finding upon which it is based. Make reccm- 
mendations for solving the problems found. 



This audit guide is organized into three chapters. Each 
chapter gives detailed steps applicable to three areas of 
EDP facility operations as follows: [Ref. 50] 

1 . Cog puter c ente r contr ols 

a. organization and management; 

b. inpu t/cut put procedures; 

c. media library; 

d. operations; 

e. environment and security; 

f. resource and contingency planning; 

g. time accounting and billing; 

2* Applicatio n sy ste m procedural co ntrols 

a. transaction origination; 

b. transaction entry; 

c. data communications; 

d. computer processing; 

e. data storage and retrieval; 

f. output processing; 

3* lo ca l pr oqra mming dev e lopm e nt c ontrols 

a. requirements approval; 

b. programming management; 

c. acceptance testing; 

d. documentation and interface; 

e. data base administration. 

The auditor may add to this program, or omit certain steps 
from the program to attain the audit objectives. Assistance 
of computer specialists may be required in application of 
this guide. 

Internal controls are essential to the prevention of 
fraud or illegal practices. Those audit steps annotated by 
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the letter M ("M”) are to be 
these steps is recommended. 



highlighted and 



performance 
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II. AODITING IHE COMPOTEB CENTER 



A. ORGANIZATION AND NANAGENENT 

The organization cf the computer center is basic; the 
structure of the organization and the quality of perscntel 
affect management's ability to implement internal controls. 

The preliminary survey provides the first set cf infor- 
mation about the NAEIAC, information needed to direct and 
execute an audit efficiently. Through a set of interviews 
with Department Heads and Division Heads, the auditors 
should obtain background information on the development of 
the NARCAC, its organizational ties, its purpose, the types 
of services it provides, the resources available to it, how 
they are applied, who its customers are, and the bases for 
its service charges. 

As much documentation as possible should be obtained 
since documentation on policies, procedures, plans and 
management reports can indicate the efficiency of NARDAC 
management. 

The background information obtained through the inter- 
views and the availability of documentation — or lack of 
documentation--will allow the auditors to prepare an audit 
plan that properly addresses itself to the areas that seem 
to need special attention. Obtain an overview of the 
historical development of the NAEDAC. 

The "Navy ADP Reorganization Study Implementation Plan 
Report" provides a detailed overview of the historical 
perspective of NARDACs. Obtain documentation of the organi- 
zation charts, policy statements, job descriptions, 
personnel listings and descriptions of services. The NAEDAC 
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CrganizaticD Manual is an excellent source for some of the 
necessary information. Indications of the established dele- 
gation of responsibilities should be obtained, as well as of 
the separation of authority, how these are defined, and the 
controls in force to assure proper adherence. 

lists of assets reflecting the entire complement of 
facilities and hardware, as well as software, should be 
obtained, together with supporting layout plans. 
Supplemental documents for the various functional areas 
(e. g., standards manuals, operator manuals, user manuals, 
equipment lists and layouts, facilities plans, user lists) 
should also be gathered. 

Analysis of management’s use of performance reporting 
systems will indicate potential problems. Docuraentaticn of 
planning done for the NARDAC, operational as well as finan- 
cial, for the short term and long term, should also be 
requested. 

For an overview of the administration of the NASDAC, the 
organization manual, procedures or directives pertaining to 
internal as well as external functions should be reviewed. 
Personnel management will be reflected in the available 
recruiting and hiring policies, functional descriptions, 
personnel development plans and training programs, and 
career path and promotion plans. 

1. Identify the mission and operations of the facility 
to determine the major areas of EDP responsibilities 
of the activity, including scope of operations and 
limitations on responsibility and authority. 

2. Determine if the facility organization promotes 
mission accomplishment and provides separation of 
responsib ilities. 

3. Examine the latest reports of internal review, 
inspections, and audits, and evaluate action taken 
to correct deficiencies. 

4. "M" Review the EDP facilities risk assessment. 

(Refer to Enclosure (3) of OPNAVINST 5239.1 entitled 
"Automatic Data Processing Risk Assessment" for the 
definition and scope of an EDP facility risk 
assessment .) 
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Ensure that all assets have been identified. 



a. 



b. 



c. 



Evaluate the reasonableness of the identified 
potential for loss. 



Ensure that a pos 
controls has bee 
incremental cost 
the risk of loss 



itive balance 
n established 
of including 
due to their o 



of facility 
which equates 
such controls 
mission. 



the 

with 



5. "M" Determine that the ED? facility has established a 

formal system of administrative controls which estab- 
lish tasks, functions, and policies covering the 

following areas: 

a. preinstallation controls which cover feasibility 
studies and preinstallation planning. 

b. organization controls which cover the division of 
duties both outside and within the EDP divisions, 
the functions of the data control group, tape 
library, etc. 

c. development controls which cover the planning of 
new applications, the establishment of standard 
procedures for system design and programming, 
authorizations and approvals, testing, controls, 
over initial conversion, and control over subse- 
quent changes. 

d. procedures established for control over change 
to central design agency (CDA) supplied programs. 

e. operations controls which cover standard opera- 
ting instructions, file handling, and protection 
against accidental destruction. 

f. processing controls which cover hardware controls, 
input and output controls, programmed controls, 
and provide audit trails. 

g. documentation controls which cover problem defi- 
nition, documentation standards, systems and 
program documentation, operators’s manuals, etc. 

h. outside data center controls which cover the 
commitment and selection of data center services, 
organizational requirements for data center opera- 
tions, I/O controls and audit trails, and security 
for customer data records. 



6 . 



"M"- Review the EDP facility security plans 
and procedures. (OPNAVINST 5239fl, 
7000.36; and FIPS PUB 31) 




a. Ensure that an EDP security officer has been 

assigned. This position should be organization- 

ally separate from the EDP operations and have 
specific responsi bilities and authority for imple- 
mentation and maintenance of facility security*. 

b. Review established security policies and pro- 
cedures. Specific responsibilities snculd be 

identified for all facility personnel concerning 
EDP security and periodic security training 
provided . 
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c. Evaluate results of periodic security reviews 

and determine that appropriate actions have been 
taken to prevent reoccurance of security viola- 
tions. 

d. At activities with remote terminal operations, 

determine that passwords and terminal access 
control responsibxlities are centralized with ZD? 
security officer. Ensure that procedures are 

established which require periodic changes of 
passwords and mandatory changes upon personnel 
separa tions. 

e. Ensure that at facilities responsible for pro- 
cessing classified data zD? personnel have 
security clearances equivalent to the classifica- 
tion of data being processed. 

f. Ensure that a foip mal access list indicating the 
specific conditions under which access to the 
various ED? areas will be authorized. This should 
include United access to the computer and library 
areas to only personnel with assigned responsibil- 
ities in these areas. 

g. Review accountability of control procedures 

and devices used at the facility. Ensure that 
badges, card keys, cypher books, safe combina- 
tions, or similar devices in use are controlled 
and periodically changed and that these actions 
are recorded. 

7. Ensure that user/customer liaison procedures have been 

established to provide for not only resolution of 
input/output problems but to support periodic reports 
and management reviews. (SECNAVINST 5214.2; 

SECNAVINSI 521C.8a) 

8. ”M" Verify that EDP support provided to private 
parties or ccnractors has been properly approved. 
(Navy Regulations, Article 0749; and NAVCoMPT Manual, 
par 075500-1) and that appropriate billing rates are 
established. (NAVCOMPT Manual, par. 0355881) 



B. IHPUl/OOTPOT CONTROL AND SCHEDOLING 



Effective quality assurance/production control ensures 
the timeliness, accuracy, and overall integrity of wcrk 
submitted tc and emanating from the computer center. This 
includes scheduling cf work and quality control of source 
data and outbound reports to ensure accuracy and complete- 
ness of data received and distributed. ' ( NAVCCMPTINST 

7000.36) 



85 



9 



. ’’M" Review facility procedures for acceptance and 

scheduling of input data: 

a. Examine logs, records, and schedules of antici- 
pated inputs. 

t. All input data should be scheduled. 

c. Follow up should be provided on late data 
receipt. 

d. Records should be maintained indicating the 

date source documents are due in, date received, 
persons authorized to submit, and persons actually 
submitting . 

e. Are negative responses required when anticipated 
data is not to be submitted? How is unscheduled 
data received? 

f. Do receipt procedures reguire preliminary veri- 
fication to ensure that all illegible, incomplete, 
or otherwise 

unacceptable source documents are returned to the 
originator prior to further processing of the 
document? unused portions of input coding sheets 
should be voided by the originator to preclude 
unauthorized additions. 

10. Review facility procedures for transcriotion and 

ccntrol of input data. Analyze the following: 

a. Input job control procedures should be documented 
for each job and detailed procedures established 
to prevent loss, misuse, or improper handling. 
To ensure complete and accurate receipt and 
transfer cf all input documents, one or more of 
the following checxs should be used for each jcb: 



(1) Document register; 

(2) Batch control tickets; 

(3) Transmittal slip; 

(4) Beginning and ending document numbers: 

(5) Money amount totals; 

(6) Hash totals. 



b. Source data automation procedures should use key 
entry system production features to the maximum 
extent possible for data verification, Rekeying 
verification should only be used when key entry 
system production features do not provide suffi- 
cient assurance of data accuracy. 

c. Ensure that key entry operating procedures pro- 
hibit key entry personnel from altering data on 
source documents and restrict access to source 
data automation programs. 



86 



d. Ensure that the computer programmers, system 
analysts. and computer operators do not have 
access to source documents. Programming jobs 
which require fast turnaround time shculd be 
submitted through normal input procedures with 
priority handling. 

e. Analyze data entry production statistics for 
effective utilization of personnel and equipment 
capabilities. Ensure that source data automation 
back-up support plans are documented and filed 
both onsite and offsite. 

f. Ensure that the input preparation phase is 
completed in accordance with clearly specified 
processing schedules. Investigate excessive late 
deliveries of input data for processing. 

11. *'K" Seview facility procedures for processing output 

to users. Perform an analysis of the following: 

a. Ensure that there is adequate control of rejected 
original documents to ensure timely distribution 
to the authorized 

originator for investigation, correction, and 
reinput or cancellation. 

b. Ensure that authorization listings are maintained 
for individuals designated to receive output and 
that these provisions are enforced. 

d. Ensure that the data and condition of issuance 

of input data or other AD? source data distrib- 
uted for use at other ED? facilities is docu- 
mented and that authorization is verified before 
distribution. 

e. Ensure that procedures are established to 
indicate location and specific retention and 
disposition of original source documents. 



C. BEDIA IIBRAfil CONTROLS 



Data processing manage 
availability of data stored 
(primarily magnetic tapes a 
this data may be especia 
requiring special custody m 
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•'M*' Review access controls to the media library and 
the procedures for issuance of media. 
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a. Ensure that there is a physical separation cf 

the media library from the computer room and that 
adequate space is provided for storage of tapes, 
disKS, etc. This area should be secured when not 
staffed. 

t. Ensure that access to the media library is 

limited to specifically authorized personnel and 
is consistent with the separation of duties 
between input/output, computer operation, and 
media library personnel. 

c. Identify personnel designated as librarians 

and ensure that their duties are separate and 
distinct from other EDP functions. Assess the 
work schedule of the librarians to ensure that 
staffing is sufficient to maintain controls over 
the issuance of media. 

13. "K" Eeview media library inventory procedures. 



Ensure that the 
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for return. Ev 
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ings should show 
all media stora 
with job account 
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Ensure that instructions indicating how and 
under what circumstances tapes or disks 
(including blanks) can be checked in or cut of 
the library. This should include listing of 
authorized personnel and security clearances. 
Ensure that borrowed media from other locations 
are documented: (1) Name of requester. (2) Date 

received. (3) Due date to return. (4) Lending 
location. 



c. 
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. (2) Reel or serial number, 

ect number. (4) Description of 
Date created. (6) 

tion of retention period. (7) 
sued to and date. (9) Returned 



d. Ensure that periodic physical inventories 

are performea and that differences are reconciled 
and missing media located. Ensure that on hand 
media stocxs are adequate for continuous opera- 
tion. 



e. Assess the adequacy of the physical storage 

facilities in the main media library and in 
back-up libraries. 

14. Review media storage maintenance procurement and 
disposal procedures. 
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a. 



t. 



c . 



d. 



e. 



Evaluate the facility’s media unit 
ing, reconditioning, and degauss 
Eetermine the adequacy of procedu 
for monitoring and accounting for 
usage. 

Ensure that media storage cleaning 
ditioning, and degaussing machines 
separated from the library area. 

Unless nonstandard media storage u 
justified by the facility, ensure 
Sard stock media storage units 
through standard supply schedules. 



Evaluate procedures for 
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D. OPESATION AND SAIFONCTI 0N/PRE7BNTI7E fiAISTENANCE 



Effective and efficient processing is facilitated by 
formally defined procedures for operating personnel. This 
includes not only production procedures but also procedures 
for reporting of hardware and systems software malfunctions. 



15. Review computer room procedures. 

a. Ensure that shift schedules provide for 
personnel rotation and that all operators are 
given experience in processing various applica- 
tions. Nc one operator should always be respon- 
sible for a particular application. 

b. Ensure that the duties of computer operators, 
programmers, or system analysts do net include 
initiation cf transactions into the system and/or 
changes in the master files. Operators also 
should not be allowed to utilize the console to 
handle error routines without prior approval of 
persons outside the operations unit. 

c. Erogrammers, analysts, and system managers 
should be denied uncontrolled access to the 
computer room unless such access is clearly 

§ rescribed and consistent with formally assigned 
uties and responsibilities. 

d. Determine that there are formal system operating 
procedures for each scheduled application and 
that console logs are reviewed. 
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Evaluate malfunction and maintenance records 



a. Review malfunction and maintenance records to 
detect patterns of poor performance and ether 
exceptional characteristics. 

b. Review computer system performance records 

and schedules to assess the impact of maintenance 
and reliability on the productivity of the 
insta llaticn. 



c. 



d. 



Review accountin 
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Interview management, vendor, and service 
personnel concerning their function and their 
int erac tiens. 



e. Trace the process of detecting, correcting, 

accounting, and reporting hardware and software 
failures. (SECNAVINSI 5233.1a) Critical pcints 
are logging, setting priorities^ assigning for 
resolution, exception reporting ror long-lasting 
troubles, assessing the performance of the 
vendor, and comparing this instance with prior 
instances . 



17. Obtain a listing of remote terminals, evaluate the 
justification for the installations and the capabili- 
ties available at each terminal relative to file 
updating and transaction input. 



E. EBVIEOHBESTAL CONTROLS AND PHYSICAL SECURITY 



Data processing facilities are a substantial asset and 
must be managed to minimize the possibility of loss cf capa- 
bility. This includes physical protection against natural 
hazards and tne control of individuals* use of facilities. 
(CPNAVINST 5239.1, NAVCOMPTINSI 7000.36) 



13 . 



*'M” Obtain and analyze the floor plan of the 
facility. 

a. Evaluate the adequacy of the locking devices 

between facility areas and at entrances and exits 
(including windows). 



b. 



Evaluate the 
the facility 
qualities, 
combustible 



construction and materials used in 
with regard to their fire-resistant 
Ensure that storage areas for 
items, such as stocks of paner. 
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tapes, etc., are physically separate from the 
computer room. Computer room stocks of comhust- 
ible materials shoula be limited to working stock 
and stored near fire extinguisners. 

c. Review all fire alarm systems and determine 

how and where the systems may be activated. 
Determine if the fire alarm sounds locally at the 
guard stations, or at the police and fire depart- 
ments. Insure that heat and smoke detectors are 
installed. 



19. 



20 . 



d. Determine if there is a water detection system. 
Review the drainage system of the building; and, 
if necessary, determxne that an adequate pumping 
system is installed or available from tne rire 
department. 

e. Ensure that the condition of the facilities* 
ceiling or roof provides adequate protection from 
leaks. Examine the overhead area for the pres- 
ence of any pipes that may result in water 
damage. 

Examine the pcwer supply, assessing the appropriate- 
ness of back-up equipment to the needs of the 
facility. 



a. Check records of the reliability of the local 

power supply and the impact or failures on the 
operation ox the facility. Examine the records 
cx recording instrumentation measuring line 
voltage. 



b. Determine if there is a standby power source 

to support computer operations, emergency 
lighting, and electrically-operated access 
controls. Ensure that the standby power system 
is adequately maintained and periodically tested. 



Examine provisions for air conditioning for the 
computer room, input area, and media library. 



a. Ensure that the air-conditioning equipment is 

secure and is dedicated to the production areas. 
Ensure that proper temperature and humidity is 
maintained. 



b. Determine that air conditioning and heating 
systems are serviced on a regular schedule. 
Ensure that backup air conditioning previsions 
are adequate. 

c. Assess the degree of protection provided for 

air intakes, cooling towers, smoke removal, and 
exhaust systems. 

21. Obtain a listing of remote terminals, and evaluate 
the security procedures for permanent and portable 
installations. 



a. Inspect the terminals to determine if they are 
located in appropriately controlled areas. 
Examine practices from the standpoint of the use 
of keyboard locking devices, operator IDs and 
passwords, overprinting of passwords, and related 
rea tures. 

b. Examine the access of terminal users to 
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the 



22 . 



23. 



24. 



assembly- level languages and assess 
protection mechanisms tnat are available, 

c. Determine if the use of terminals associated 

with classified data bases and programs is 
adequately monitored and supported by data 
protection techniques. 

"M" Evaluate the facility physical access controls. 

a. Obtain list of personnel who have authorized 
access to various areas in the facility and 
assess the necessity of such access. Compare 
this list with the issue control list of card 
keys, combinations, etc. that have been issued. 

b. Ensure that procedures for issuance of keys, 
combinations, etc. are adequate. 

c. Determine if badges are used for personnel 
or visitors. 

d. Ensure access controls outside of day-shift hours 

require reporting to notify management of 

personnel who access the facility. Determine if 
personnel challenge strangers. 

Review emergency procedures. 

a. Observe that emergency telephone nembers are 
posted conspicuo usly, 

b. Ensure that emergency power off switches are 
marked and placed at ail emergency exits and are 
protected from accidental activation. 

c. Review fire drill and shut down procedures for 

adequacy and completeness. Determine if 

employees know the location of the sprinkler 
shut-off valve. 

d. Ensure that portable fire extinguishers are 
suitably located throughout the computer area and 
that personnel are trained in their use. Obtain 
documentation to verify that fire detection 
equipment is tested on a regular basis. Ensure 
that smoking is prohibited in the computer area 
and the media library. 

e. Ensure that exits are adequate, well-marked and 
kept free of obstructions. 

Determine if back-up facilities are tested at regular 

intervals, and if the procedures for the test and the 

changeover are readily available to personnel. 



F. RESOURCE AHD CON1IHGENCY PLANNING 



Management Of the computer center has a 
responsibility to ensure that efficient and 



continuing 

economical 
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services are provided on a continuing basis. Manageaent 
must be able to predict changes in workloads and the effect 
of those changes cn resource requirements. A primary 
responsibility is to maintain suitable contingency control 
plans covering disaster conditions, either natural or 
man-made. 



25. Review activity budgeting responsibilities and 
determine the adequacy of fund administration for 
budget execution. 

26. Review controls and procedures for acquiring, 
reporting and monitoring the utilization of EDt 
equipment. 

a. Appraise the procedures for determining and 
evaluating idle and excess property. Examine the 
most recent Reconciliation of Plant Account for 
accuracy of reporting. (SECNAVINST 5237. 1A) 

b. Appraise the reporting and processing of excess 
EDP equipment for reutilization or disposal 
actions. (SECUAVINST 5237.1) 

c. Appraise management procedures to report EDP 
equipment utilization. (SECNAVINST 5238. 1A) 

d. Appraise management procedures to maintain 
optimum utilization, including the following: 

(1) Determine who is responsible for performance 
measurement within the data processing crga- 
n iza ticn. 

(2) Determine what methods or techniques the 
installation uses for evaluating the effi- 
ciency of computer operations (hardware and 
software) . 

(3) Review the installation's program for 
evaluating computer systems performance. 

(4) Evaluate results obtained from performance 
evaluation. 

(5) Review available performance measurement 

statistics such as hardware or software 
monitor output, and system management 
facility information. Do statistics show 
under-utilization of any hardware? Of 

particular concern are the central processing 
unit (CPU) , tape drives, printers, disk 
drives, and channels. 

27. Review facility contingency plans: 

a. Cbtain and review risk analysis performed to 

identify potential threats to the facility. 
Ensure that contingency plans developed from this 
risk analysis are consistent with the identified 
threats and equate cost of implementing the 
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contingency plans to the potential for loss. 
(OPNAVINSI 5239. 1) 

b. Review contingency plans to ensure that 
procedures are estabished to guide facility 
activities during natural disasters as well as 
civil disturbances. Contingency plans should 
cover both (1) loss or destruction of data and 
program files and (2) theft of information and 
delays in computer processing. 

c. Ensure that security and operations personnel are 
periodically briefed on their responsibilities 
for i iplementing disaster contingency plans. 

28. Review facility backup support agreements: 

a. Ensure that backup support agreements provide 

for net only processing of critical applications 
tut also for input data transcription services. 

b. Ensure that support sites have the caoacity or 
can arrange to accommodate the added backuo 
support by discontinuing their nonessential 
processing. 

c. Ensure that detailed operating procedures, 
instructions, etc. are stored with back up media 
at a remote site from the facility which can be 
transferred to the backup facility if necessary 
to resume EDP processing. 

d. Ensure that the backup processing plan has been 
tested and problems identified resolved. 



G. IIBE ACCOONTING AND BILIING PfiOCEDDBES 



Management has a responsibility to ensure that operating 
costs of the computer center are equitably distributed among 
reimbursable users. Equitable distribution of cost requires 
that an adequate accounting system provide maintenance of 
records and documentation for botn financial and nonfinan- 
cial data. Documentation cf recorded CPU time and storage 
cost plus material and labor usage must afford an adequate 
basis for billing and provide a logical audit trail. 



29. Review EDP accounting procedures. 

a. Ensure that billing algorithms, statements, and 
rerun cost allocation procedures provide for 
identification of responsible customer. 

b. Ensure unique supplies and other quantifiable 
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30 . 



c . 



d. 



direct ccst, such as commercial data 

transcription services, are identified and 
supported . 



For nongovernment users, private parties, ensure 
that the greater of either the activity computed 
cost or the local commercial rate is billed. 
(NAVCOMPT Manual, par. 035881) 



Ensure that the billings are supported bv detail 
hilling analysis for each customer. 



Review activity billing procedures and analyze the 
f cllcwing : 



a. Determine that there are intra/inter services 

support agreements between the computer center 
and reimbursable users. 



b. Examine consistency between billings and the 
job accounting system. 

c. Examine procedures to arbitrate billing 
disputes between users and the center. 
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X. EXA8IHING A^IICATION SYSTEM PflOCEDORAL CONTE CIS 



A. IHIBCDOCTION 



Application system program procedural controls have 
replaced many of the more conventional internal controls 
developed for manual systems. To ensure that internal 
controls are valid ard effective, a comprehensive approach 
is necessary. Not only must procedural reguirements for all 
operatonal system applications be reviewed, but the applica- 
tion controls for locally developed and operated applica- 
tions must also be validated. The scope of the facility 
audit of application system controls snould include a review 
of the majcr control procedures of the CDA application 
systems and local applications in operation at the facility 
for which the facility has control responsibility . This 
includes comparison of application controls, doc umentaticn, 
interface with facility unigue applications (and their 
controls), and review of CDA reguired processing procedures 
with activity operations. Software internal control reviews 
of specific applications are beyond the scope of this audit 
program. 



B. TBAHSACIIOH ORIGINATION 



Effective transaction control reguires that 
be captured as soon and as close to the point of 
as possible. Procedures must be established to 
ensure the accuracy and completeness of each 
from originator and subseguent transcription 
transaction edit routines. 



source data 
origination 
control and 
transaction 
entry into 



1. Review selected application systems and evaluate 
manual transaction origination procedures. 
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a. Ensure that control documentation describes hew 
and under what circumstances transactions arise/ 
who is responsible 

for recording, encoding, and initiating, and how 
it is processed. 

b. Select a sample of transactions from various 
applications and trace back to the corresponding 
source documents, verify authorizing signatures. 
Ensure that actual processing procedures were as 
described in the control documentation. 

c. For centrally designed systems, compare process- 
ing procedures and practices to CDA system speci- 
fications. Ensure that transaction origination 
practices are consistent with system requirements. 

2. Review interactive terminal application system input 

ccntrcl procedures. 

a. Ensure that control procedures for terminal 
operations require review and certification of 
input transacrions by other than the terminal 
operators. 

b. Ensure that controls have been established 
requiring passwords and other processing controls. 



C. TBABSACIIOH DATA EHTEI 



Effective use of transaction data entry controls can 
verify prior to application processing that data transcribed 
is consistent wih specified limits. Various methods can be 
employed to edit transactions such as batch and check 
totals, alpha and numeric field limits, etc. 



3. Review selected application systems and determine 
what types of edit checks are used. Ensure that 
prescribed procedures are consistent with facility 
operating procedures. 

4. Trace a selecticn of transactions through this stage 
of the application system to evaluate the effective- 
ness cf the transaction data entry controls. 



E. DATA COMaOHICATICNS 



The integrity of data is dependent upon processing 
contrcls and systems operating procedures' ability to 
compensate for momentary or major commercial network 
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failures. In addition, communication controls are required 
to ensure that only authorized users have access to system 
application through the communications network. 



5. 



6 . 



7. 



8 . 



Review operating and application 
ticns controls. Ensure that the 
consistent with facility operating 



system communica- 
Qocumentation is 
procedures. 



Review communication 
Failure Reports, 
emergency, and preven 
he examined to assess 
general quality of ma 



s Preventive Maintenance 
Records of reported failu 
tive maintenance actions sh 
promptness, thoroughness, 
intenance support. 



r 

c 



and 

nh 

and 



Review Recovery Logs or other files prepared for use 
in recovery/restart processes. Revxew lost or 
garbled data error message accountability. 



If the system under audit possesses an integrated 
test facility (ITF) , this should be used to validate 
error routines. 



E. COTPDl PROCESSING 



Effective utilization of output products requires 
controlled, timely distribution to both originators for data 
confirmation and to tsers for action. 



9. Ensure that procedures are adequate to support user 

requirements. 

a. Trace selected individual output products from 
printing to user receipt and usage. 

b. Verify facility procedures in processing and 
correcting erroneous output. 

10. Review formal output procedures. 

a. Ensure that procedures provide sufficient control 
to prevent unauthorized access to outputs and that 
these procedures are followed by facility and user 
personnel. 

b. Ensure that allocation of responsibilities within 
and between the computer center and its user/ 
customers provides for effective control and 
liaison. 
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XI. AODITI^ LQ^L f b og ram wing MAINT ENA NCE A^ fiEVEIOBHE^ 



A. EEQOIREHENTS APPROVAL 



facility local program aing for support or new programs 
is contingent upon the amount of effort provided to 
centrally designed and maintained programs and program 
changes. local program effort is usually very limited and 
as such, user reguixements must ne documented and reviewed 
to ensure that the maximum benefits can be obtained. 

t 



1. Review procedures for accepting user/custo rer 

requirements fcr new or modified programs. 

a. Determine that the user requirements have been 
carefully and thoroughly documented. 

b. Review estimating procedures for programming 
requirements. For systems requiring cost-cenefit 
analyses, ensure than hardware requirements were 
determined and considered in the analyses. 

c. Review reporting procedures for proposed program- 
ming effort. Are users provxaea with guidance on 
existing output or other methods of satisfying 
their requirements? 

2. Review acceptance procedures. 

a. Ensure that jots accepted are formally approved 
within the computer center. 

t. Review procedures for establishing programming 
priorities and subsequent scheduling. 

c. Review programming workload: Ensure that 

contractor programming support has been considered 
if backlog situations are a continuing problem for 
valid requirfement s. 



B. FRQGEAflWING MANAGEMENT 

Project management techniques can be used for program 
changes and development to provide a formalized means of 
measuring progress through the use of periodic status 
reports. (CPNA7INST 5231.1 ) 
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3. Verify that a suitable management structure exists 
for program development. 

a. Examine status reporting provisions. Determine 
the need and the availability of specialized 
reporting techni gues such as PEET or reporting 
approaches such as Gantt charts. The auditor 
should be able to easily determine the status of 
all CDA and local development projects. 

b. Analyze reporting procedures for programming 
progress. How well do original programming esti- 
mates compare to project and budgets and actual 
expenditures? 

c. Examine the dissemination of status reports and 
ether project information to interested parties 
both inside and outside the data processing group. 

d. In projects that are completed or nearing comple- 
tion, ensure that feedback mechanisms will ensure 
that lessens learned are taken into account in 
future development projects. 

4. Review programming methods for the following; 

a. Review user and operational documentation for 
compliance with standards. (SECNAVINST 5233. 1A; 
DCDINST 4120.17J1) 

b. Ensure that the conversion plan provides 

for program implementation without interruption of 
data processing services to the users. 

c. Determine if an adequate test plan is 
developed and followed to 'validate each new 
system. Review the adequacy of test results. 

d. Does the facility use a structured programming 
approach to program development? 

5. Determine the degree of independence exercised by the 
group charged with acceptance testing of new applica- 
tion systems. 

6. Evaluate the completeness and comprehensiveness of 
test planning and test specifications used by the 
acceptance testers. 

7. Evaluate the thoroughness of the acceptance testing. 

8. Review procedures to resolve discrepancies reported by 
acceptance testing. 

9. Evaluate the degree to which users participate in the 
planoing, conduct, and evaluation of acceptance 
testing. 
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CHAHGE CONTROL 



Formalized procedures for modifying operatonai applica- 
tion systems must require written approvals and supporting 
documentation. Controls in this area should focus on 
preventing unauthorized, erroneous, or accidental changes 
from teing introduced into previously tested and accepted 
computer programs. (NAVCOMPINST 7000.36) 



10. Ensure that procedures requiring formal, written 
requests for changes have neea established. 

11. Determine what mechanisms are used for review of 
proposed chances and how effectively these mecha- 
nisms are used. For example, is there a change 
control committee that is responsible for deciding 
priorities and allocation of resources to changes? 

12. Determine if there are restrictions on the number 
and /or type of persons who can make changes. 

13. Determine if independent means are used to report 
the existence of program changes. For example, 
seme installations nave automated the systems 
management facility of the computer operating 
system to prepare reports on all changes to 
libraries. 

14. Examine the processes associated with "quick fixes" 
to ensure that these fixes are controlled 
adequately. 

15. Determine if there are controls on the number of 
times changes can be made during a given time 
period or on the frequency of changes to any given 
program. 

16. Ascertain whether any special programs are used to 
control access to libraries of source programs. 



D. DCCDNEHIATION AND INTEBFACE 



Documentation is the process of describing on paper the 
functions that each application system performs, how they 
are performed, how the functions are to be used and how the 
application interfaces with the total system. (SECNAVINST 
5233. 1A; NAVCOMPINST 7000.3c) 



17. Ensure that documentation describes the flow of 
data within tie application system. 
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18 . 



Ensure that documentation describes how programs 
inplement controls. 

19. Ensure that documentation specifies how prcgrams 
are to be operated, how they are to be backed up, 
and how recovery procedures are conducted. 

20. Review documentation and ensure that it is being 
properly maintained and is updated. 

21. Evaluate all user documentation and review for 
clarity and usability. 



E. DATA BASE MANAGEHENT AHE CONTROL 

Data base manageient and administration have a signifi- 
cant impact on the efficiency, accuracy and effectiveness of 
an EDP facility, especially in the area of computer 
processing. Proper documentation of operating procedures, 
applications programs and procedures, and accurate cata- 
logueing and maintenance of changes to data base files, 
discs, tapes, data dictionary, etc. are critical in ensuring 
control ever the data base and the processing accuracy of 
the facility's applications. There are several major areas 
of control and associated safeguards that must be reviewed 
during the facility audit. These include: (1) data base 

control, access and physical security; (2) data base mainte- 
nance and data base library controls; (3) user and technical 
staff training; (4) data base/facility operations inter- 
faces; (5) systems development and testing; and (6) systems, 
programming and procedures documentation. 

These functions are appropriately the responsibility of 
the Data Base Manager (DBM) . All data base systems need at 
least one position of authority to enforce data base policy 
and procedures. Related elements of these areas will have 
been review during other sections of the facility audit. 
The administration cf the data base has a major impact on 
the overall operations of the facility, any potential over- 
laps are worth reviewing to thoroughly evaluate the inter- 
faces between data base and other facility activities. 
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22. Data Base Control, Access and Physical Security: 

a. Review the organization structure to determine 

if the DEM function is effectively segregated 
from the rest of the organization, especially the 
system development, user and operations func- 
tions. The D3M function requires independence to 
be effective in data base control. 



h. 



c. 



d. 



e. 



f. 



Review the facility's operation's access con- 
trols to ensure that the D3i1 does not have direct 
access to the computer operations center. Ihe 
DBM should not be allowed to operate the facili- 
ty's computer equipment. 

Select a major customer for review of its input 
controls. Review its written procedures for 
input controls to ensure they maintain data base 
security by keeping unauthorized users out of the 
data base and also control authorized users 

access to and use of the data ase. Tvpes of 
controls ever users include separation of' duties 
for document preparation and data entry, written 
authorization for data entry, passwords for 

system entry, system logs to document system 
usage, etc. These controls should also recuire 
that the DEM must receive user department 

approval prior to entering transactions into the 
system. 

Review the DBM's control over inputs to the data 
base. The DBM has responsibility for all inputs, 
and should be reviewing the data entered for 
quality, organization (to ensure that it complies 
with existing data base formats) , integrity and 
level of security required. 

Review the system of checks and balances over 
changes to the data base. While the DBM is 
responsible for reviewing, approving and auditing 
changes to the data base, facility procedures 
should call for another authorized signature 
(director of data processing, facility system 
development committee, etc.) prior to the DBM 
making changes to the data base. 



Review the data 
they restrict 
security for cl 
with OPNAVINST 
Information Secu 
these controls 
the data base di 
appropriate secu 
or classified da 
and control over 



base file contr 
access to and 
assified mater 
5510. IF, Depar 
rity Program Re 
to the securit 
ctionary, selec 
rity clearance) 
ta elements, an 
these elements 



ols to ensure 
provide complete 
ial in accordance 
tment of the Navy 
gulation. Relate 
y descriptions in 
t (if you have the 
a random sample 
d review access to 



g. Review the physical security of the data base, 

including location in the facility, access 
controls and logs, etc. The DBM is responsible 
for the physical security of the data base, and 
should have written procedures on file geverning 
security cf the data base. The DBM must be 
consulted by the facility security manager before 
any changes are made to the facility that affect 
access to and security of the data base as the 
DBM is responsible for the overall security of 
the data base. 
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n 



j* 



k . 



fieview the DBil’s written procedures for recovery 
and verification of the data base in the event of 
partial or complete destruction, security viola- 
tion, or ether compromise of the data base. 



Interview the facility security manager and D3H 
to evaluate their responses to such data base 
compromise or destruction possibilities as theft,^ 
classified material violations, unauthorized 
changes to data base programs or the data base 
dictionary, modifications to data base applica- 
tion’s programs, unauthorized use of system or 
vendor utility programs to access the data base, 
etc. Classified material violations should be 
investigated, (OPNAVINST 5510. IF) 

Beview the facility risk assessment (OFiJAVINST 
5239, 1), 



Determine if the security measures and controls 
selected and instituted by the facility are 
appropriate and adequate to ensure control over 
the data base. Review the specific ccntrols, 
including use of passwords, locatewords, photo- 
graphic IE cards for access to the data base 
storage area, restriction of access to computer 
operations personnel only, maintenance of a 
directory ' or access privileges and related 
security clearances and security profiles for all 
personnel authorized access to the data base, 
authorization tables for access to specific 
programs, file records, control documentation, 
etc. 



Review systems a 
access to the d 
priate controls 
security and in 
reviewed include 



nalyst, programmer and operators* 
ata base ana determine if appro- 
exist to ensure data nase 
tegrity. Specific items to be 



(1) computer console logs and data base access 
logs 

(2) DBM control over access to the data base 
libr ary 

(3) other physical access controls over database 
related software 



(4) the software controls over the access to the 
database via utility programs, online 
networks, etc, 

(5) input/output (I/O) device control and access 

(6) orogramming and user documentation governing 
access to the data base 



(7) DBM control over all vendor-supplied utility 
programs 

(8) controls over other programs relating to the 

data base to ensure only authorized 

personnel can use the programs 

(9) procedures for systems analyst/programmer 
changes to data base programs 

(10) control over access to the master terminal 



104 



23 . 



24 . 



for for entry of changes to system utility 
commands and other database-related access 
changes 

(11) access controls in force when purging, 
reorganizing or compressing a data base 



Data Base Maintenance and Data Base Library Controls 



a. 



b. 



c. 



Review the facil 
that the EZH has 
base maintenance 

Review the DBM’s 
changes tc, 
dictionary. th 
updating the dat 
the definitions 
dictionary shou 
well as informa 
ment trails in t 
is actually the 
that it identifi 
data in the data 
ships for the fa 
tool for validat 
in the data base 
access to the d 
storage and ti 
available copies 

Review the log o 
in the data base 
subjected to a g 
as well as by an 
as the director 
cpment committee 
signature author 
data base. D 
exists tc perio 
identify if any 
made. 



ity*s job descriptions to ensure 
complete responsibility for data 
and the data base library. 



control over the contents of, 
and distribution of the data 
e procedures for reviewing and 
a dictionary, and the quality of 
in the data dictionary. The data 
data definitions as 
audit and/or marage- 
The data dictionary 
for the data base in 
nature and organization of 
the program/data relaticn- 



Id include 
tion on the 
he system, 
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cility’s applications, and is a 
ion, edit ana control of the data 
. The DBM should be restricting 
ata dictionary by providing safe 
ght physical control over the 



f changes made to materials held 
library. The changes should be 
uality control review by the EBM 
other independent authority, such 
of data processing, system devel- 
, etc., and should have received 
ization prior to entry into the 
etermine if a software program 
dically scan the data nase and 
unauthorized changes have been 



d. Review the DBM’s data base log to determine if it 
accurately records such information as: 

(1) data additions, deletions and changes 

(2) th§ dser, programmer or system analyst 
originating the additions, changes and dele- 
tions 



(3) the reasons for the update, revisions, 
reorganizations or compressions of the data 
base 

(4) the utilization of the data base by specific 
users as well as by application, including 
utility programs 

(5) classified material or other data base 
security violations 

User and Technical Staff Training 

a. Review the facility’s training records or 

individual personnel files to ensure that both 
user and technical staff oersonnei have training 
in: 
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25 . 



(1) proper use of the data base 



(2) data tase security, including instruction in 
the handling of classified aaterial as 
required by OPNAVINST 5510. IF 

h. Review the training schedule and lesson plans 

employed by the facility security officer and BBM 
to detemine the frequency and quality of the 
instruction provided to facility personnel in 
data base management and classified material 
con trol. 



Data Base/Facility Operation’s Interfaces 



a. Review the controls over the operating 
environme 
schedulin 
access, 

controlling the data base operating environment, 
authorizing any changes to operations impacting 
data base usage, and coordinating with users and 
application programmers regarding usage, storage, 
extraction and retrieval of data in the data 
base. 



nt or 



tne aati wase s uon 






g. monitoring- data base recovery, user 
etc. The DBM should be responsible for 



b. Review the preparation of the facilty's operating 
logs as well as usage reports generated from the 
logs. The DBM should be generating data base 
usage statistics, data base modification reports, 
data utility program usage data, etc. for review 
by the director of data processing and other ED? 
management personnel. 

c. Review the facility's JCL for batch-oriented 
applications of special interest to the audit 
team to establish the level of control over data 
tase access provided by the JCL. The 2DP auditor 
should insure that individual jobs can only 
access specifically identified files or sets of 
files in a data base. This control also applies 
to online systems in that specific applications 
and individual transactions processed via these 
applications should access only specific segments 
or the data base. Test sample transactions to 
determine the integrity of the jcl/online system 
data base access controls by attempting to access 
unrelated files or segments of the data base. 

26. Systems Development and Testing 

a. Review the facility’s written procedures 
governing systems development and testing of new 
applications to determine if the DBM participates 
in the system development and testing process. 
The DBM should review and approve all modifica- 
tions to software which affects the data tase. 
This is especially critical in the areas of 
financial applications and classified material 
control, and relates to both inhouse and vendor- 
prepared modifications. 

b. Review the system development and testing 
procedures to determine if the facility’s 
internal review staff participates in the process 
or reviews new applications prior to their 
approval for use in the facility. The internal 
review staff should participate in the data base 
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and application system development and change 

E rocess to ensure that adequate controls are 
eing built into the data case and new aoplica- 
tions software. 

c. Review the facility's unit and system testing 

standards. These standards should be formalized 
into written procedures, and compliance with 
these procedures should be documented and 
retained for all new system development activi- 
ties. The standards should set criteria for 
preparing test data base, accompanying manual 
ledgers with anticipated results to check the 
accuracy of program algorithms, and documentation 
modifications to applications being tested to 
provide an audit trail for system development 
audits. 

d. Review the approaches to development of and 

access to test data base. While all test data 
bases and program test documentation should be 
maintained in the data dictionary, the DBM should 
be restricting access to the test data base and 
documentation, and should ensure that apclica- 
tions development staff controls the sample test 
data used to evaluate new applications during the 
system testing process. Tne DBM should also be 
testing all modifications to software affecting 
the data base prior to acceptance and usage by 
customers . 

e. Review the testing program at a detailed level. 
Specific areas to be thoroughly evaluated and 
steps to be followed include: 

(1) Review the testing procedures to ensure that 
data base backup ana recovery procedures for 
new applications are tested prior to testing 
the entire application to guard against loss 
of the test data base. 

(2) Ensure that only test data bases are used for 
applications testing. The facility should 
n^er allow live data bases to be used for 
fesfing purposes. Various types of test data 
bases include unit test data bases used by 
applicationdevelopment staff to debug 
programs, and benchmark test data bases used 
to test program revisions when previous 
testing indicates that modifications are 
required. 

(3) Ensure that data base users have participated 
in testing of all applications affecting the 
data bases relating to their applications. 
Dser confidence in both the data base and 
applications software is critical to effec- 
tive control and use of new applications, and 
user participation in the testing process in 
invaluable in establishing user confidence. 
User feedback to applications development 
staff is also valuable in development of 
program modifications. 

27. Systems, Programming and Procedures Documentation 



107 



a. Review the job description of the D3M to ensure 
the DEM is responsible for all systems, prcgraa- 
ming and procedures documentation relating to the 
data base. 



b. 



c. 



d. 



Review the written documentation standards to 
ensure they establish specific criteria for eval- 
uation of all documentation affecting the data 
base. All documentation relating to the data 
base should be thoroughly reviewed and approved 
by the DBM prior to program implementation. 

Review the operating instructions and procedures 
manuals for all applications programs accessing 
the data base to ensure that backup and recovery 
procedures are thoroughly documented. 

Review the systems, programming and pro- 
cedures documentation to ensure that database- 
related documentation is cross-referenced in the 
documentation and consistent in its approach to 
data base access, control and usage. 
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XII. SOMMARY AND CONCLUSION 



areas may te improved, 
beyord financial audits. 



Operational auditing is not a new concept or practice. 
Operational audits have been conducted for many years by- 
internal auditors in industry as well as government. 

Various names have been given to audits which involve 
more than the traditional financial audit. Some of the mere 
popular ones are coapre h ensi ve audit ing, effectiv enes s 
au diting, s yst ems au dit ing, and operational a uditin g. I his 
paper has dealt only with operational auditing. As used 
here, an operational audit is an examination of policies, 
practices, procedures, and controls used to find out what 

Operational auditing extends well 
which are concerned with the 
receipt, control and disbursements of funds. It includes an 
evaluaticn cf the utilization and control of nonfinancial 
resou-rces such as property, equipment, personnel, and 
supplies. Thus, there is a substantial amount of literature 
available fer those whe wish to study it in greater depth. 

A NAEEAC is a high technology and fast changing orgari- 
zation. It covers the development, maintenance and opera- 
tion of all information services technologies including the 
acceptance testing cf software developed externally. It 
needs inplace, ongoing evaluation. The commanding officer 
of a NAEEAC can gain valuable assistance from a constructive 
operational audit. In general, managers of NAEDACs can not 
conduct such in-depth reviews of their own operations though 
an internal operational audit group is possible. Several 
issues are important in the evaluation of performance at a 
NAHDAC: Who sets the standards? Who plays what role in 

planning for the future? and Who makes basic policy 
affecting beth the NAEDACs and the customers of NAEEACs? 
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Because the NARDACs have Navy wide responsibility for ncn- 
tactical ACP, some cf the issues must be resolved by senior 
Navy management--they can not be delegated to lower levels. 

The NABEAC is an organization whose scope of technolo- 
gies to be coordinated has expanded tremendously as 

computers, telecommunications and office automation have 
merged together, and whose product offerings are extending 
into new customer areas. The complexity of implementing 
projects, the magnitude of work to be done, and the limited 
human resources have forced the NARDAC away from being 
primarily a production oriented organization to one where a 
significant percentage of its work is concerned with coordi- 
nating the acquisition of outside services for use by its 
customers. 

Measuring performance at a NARDAC by operational 

auditing provides a consistent methodology and basically 
uniform technique that can be used to adequately assess 
performance in the seven NARDACs. The auditor, however, 
must tailor the audit engagement by selecting those steps 
that are appropriate to the particular NARDAC, the interests 
of the audit client, and the relationship between data 
availability and audit resources. This selection is the key 
to the success of the audit effort. An overriding consider- 
ation in making the selection is the evidence standard, 
promulgated by the U. S. General Accounting Office, which 
states: £Bef, 51] 

Sufficient, competent, and relevant evidence is to be 
obtained to afford a reasonable basis for the auditors’ 
judgements and conclusions regarding the organization, 
program, activity or function under audit. A written 
record of the auditors* work shall be retained in the 
form of working papers. 

It is the rare case where the operational auditor can 
isolate the ideal single measure or standard to evaluate 
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cferational auditing can provide needed 



perf orniance. Yet, 

data for improvement. 

The focus on productivity improvement as the measure of 
a NAEEAC's value requires an instrument for measuring 
productivity. Dsually, productivity relates to people-based 
activities, and an operational audit is an ideal tool for 
seeing that management has at hand the necessary information 
for decisionmaking. Operational auditing involves not only 
ascertaining how objectives are being met, but also evalu- 
ating the way the objectives were set in the first place. 
Although performance criteria may be applied objectively, it 
must be recognized that subjectivity enters into the selec- 
tion of these criteria. 

A NAEDAC is required to recover all of its costs. The 
policies, as a Nif activity, are geared toward cost liquida- 
tion. The establishment of appropriate prices is a complex 
issue. An appropriate resolution is critical to estab- 

lishing and maintaining a realistic relationship between 
NARDACs and their customers, NARDACs must continually 
search for ways to deliver new products in more efficient 
ways . 

The previous chapters presented a series of frameworks 
for examining the NAEEACs and their function of information 
services management. In sum the paper specifies the details 
as to how an information services operational audit should 
be conducted. The NAEDAC was treated as a stand-alone busi- 
ness within the Navy. This permitted the development of the 
concepts of control for information services. Issues of 
internal accounting control within the NAEDAC was not 
covered as they do not have a direct impact on the interface 
between the NAEDAC and its customers. 

The following overview of operational auditing is a 
brief summary of the various phases and steps involved in 
conducting an operational audit: [Ref. 52] 
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At the beginning the auditor has no idea where to go or what 
to do. The first step involves determining the total 
(universe) . 

O bta ins ge neral k nowledg e of tota l responsi bili - 
t ies . Leads to total ar ea s th^ can be a ud ited. 

The auditor finds there are many areas from which to choose. 
An area is selected. 

B ackgrou nd and g e n eral info r mation on ^eas leads 
a udi tor to select a spe cifi c a rea to be au di t ed . 

The auditor selects an area from the universe of areas; then 
does a preliminary survey. 

Backgrou nd and ge mer al informaj^on fro m a re a le ads 
a udi tor to ten tative aud it ob ject ive by s ca e 
e vid ence and assertion s. P ossible al te rn ative 
te ntativ e cbjectiyes cons idere d. 

The objective of a specific activity is determined--very 
tentative. Also tentative alternatives are determined. A 
review and test of management control is made. 

T est s of ma nagem ent co n trol aive a udi tor evi dence 
to support firm ob ject ive. 

A possible tentative report could be prepared at this time. 
Also a program for the detailed examination is prepared if 
audit is to continue. 

The auditor selects firm audit objectives; gathers suffi- 
cient, relevant, material, and competent evidence on audit 
objective to come to a conclusion on that objective. Ihe 
detailed examination is done. 

O bta ins su ff i cie nt, relevant, mat erial , a nd com pe- 
t ent evidence to suppor t the c onclu si on on the 
a udi t objective, incl udi ng any evide nce obt ained 
15 prior ph ases . 



112 



sufficient 



A summary of evidence in working papers is made, 
to support conclusions on the objectives. 

S umm a riz es all ev idenc e in working £§£ers on the 
o bje ctive in ord er have a workable *21 the 
r epo rt . and to su pport the a uditors * conc lu sions. 

From summarized evidence, the auditor prepares the report, 
including conclusions and recommendations. The report is 
the final product of the audit. 

q ses s umm ar ized e v idence to support concl usi on and 
r eco m mendation s. 
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APPENDIX A 



DEFINITIONS OF SPECIAL TERMS 



ACCEPTANCE TESTIM: a pro 

sxEIe Ter program irplemen 
the application system befo 
approach is intended to xos 
the performance of the pro 
both the application system 

access aiTHCD: a piccedur 

from a mass storage file, 
files is sequention. Ther 
disk files that vary from s 

AUDITABIIITY: features an 

fxon system, either compu 
verification of the adequa 
and verification of the ac 
processing results. 

MPII SOFTWARE: a set of 

performing Tests on compute 
usually a report analyzing 
the auaitcr to accomplish t 

AUDIT TH^L: files, inde 

allow specSific transaction 
source or forward to their 
It also is referred to as a 
management to determine 
follow up on errors. 

HATCH CCHTEOLS: a contro 

conversion or” processing o 
accurately. For example, w 
last card may have totals ( 
control totals) of accoun 
computer processes this fil 
and amounts and compares t 
last card. If they do n 
printed and processing sus 
and corrected, 

batch processing SYSTEM: 

P rocessing o^a In gfoups 
usiness are of this type. 

CPU ; Centeral Processing U 
ox a computer system. I 
operating system (the ”brai 
the processing. The CPU 
arithmetic and logic func 
design. A variable amount 
ated with the CPU. Only 
"main memory" can be proce 
functions or the computer. 

COMPUTER APPLICATION S YSTEM 
sysfem fhaf incluaes fotn m 
for source transaction or 
record keeping, and report 



cess in which persons not respon- 
tation are charged with checking 
re it becomes operational. This 
ter objectivity in evaluation of 
gram and to test, in parallel, 
itself and its documentation. 

e by which a program obtains data 
The common access method for tape 
e are several access methods for 
eguential to truly random access. 

d characteristics of an inferma- 
ter-based or manual, that allow 
cy and effectiveness of controls 
curacy and completeness of data 



programs which assist auditors in 
r data files. The end product is 
the data in a format designed by 
he desired audit objective. 



xes, reports and references that 
s to be traced back to their 
final recording in the accounts, 
management trail since it allows 
propriety of processing and to 



1 procedur 
f groups 
hen a card 
sometimes 
t numbers 
e, it adds 
heir sums 
ot agree, 
tendea unt 



e used to 
of data com 
file is pro 
referred to 
and amounts 
up the acco 
to the numb 
an error 
il the erro 



assure 
pletely 
cessed , 
as hash 
A S 

unt numb 
er s on 
message 
r is fo 



the 

and 

the 

or 

the 

ers 

the 

is 

und 



a system 
(batches) . 



for collecting and 
Many applications in 



nit. This is the principal nart 
t is the CPU which contains* the 
n" of the computer) and performs 
contains the circuitry for the 
tions included in the computer 
of "main memory" is also associ- 
data and programs contained in 
ssed by the logic and arithmetic 



: a computer-based information 

anual and computerized procedures 
igination, data processing and 
preparation. 
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EATA EASE: a collection ot data which 

a way tSat allows a data item to be av 
users within an organization. Rather 
files for each application, all files 
are merged into one "total" file or 
frequently associated with data base 
■which rely on such a file structure. 



is organized in such 
ailable to different 
than having separate 
for all applications 
data base. It is 
management sysrems 



DATA TBAaSHISSIplI (DATA COMMUNICATION) : the sending of data 
from one Iccaclon to anonrel“localion . Typically, informa- 
tion is sent over telephone wires from outlying terminals to 
the central processor. Typical controls which assure the 
completeness and accuracy of such transmission are character 
counts. message counts and dual transmissions. Data 
security is an important internal control consideration in 
systems which use data transmission since data and programs 
arre more susceptible to accuss by unauthorized persons. 



DISK PACK : a device for storing computer created data 

ITIes. Ilthougn their capacities vary significantly, a 
typical disk pack can store millions of characters. Some 
disk packs are portable. This allows more than one disk 
pack to be placed on a disk drive, the device the computer 
uses to read and write from a disk pack. Because or the 
portability of some disk packs^ good internal control 
requires that they be properly safeguarded. 

piSTfilBUTEE PHOCESSIEG: a decentralized approach to infor- 

maficn processing. 1 distributed system is an aggregation 
of information systems (intelligent terminals or mini- 
computers) arranged as relatively independent subsystems 
that are tied together through a central computer via commu- 
nication networks. 



EOCUHE NTAT ICH: a means for understanding the purpose of a 

program and~^ommunicating the program details to a reader. 

EOCOHENTATICN STANDA RDS : a established acceptable level of 

■documentation. ~KZ1. program and system documentation should 
be measured against this standard, and procedures should be 
established for bringing inadequate documentation to an 
acceptable level. 

EDIT: a control technique which determines if data is inac- 

CurSte, incomplete, unreasonable or fails to meet estab- 
lished criteria. This procedure can be be done manually 
before processing or by the computer at the beginning or at 
subseguent stages in regular processing. This may be the 
sole purpose of certain programs (commonly called edit 
programs) within an application. Common edits are: edits 

tor reascnableness or limit tests, such as determinina if 
hours reported for a weekly wage earner are in excess or 60 
hours; missing data tests, such as no employee or part 
number; and illegal character tests, such as an alpha char- 
acter (letter) in a numeric field. 

EEECB COBJECTION PHCCEDDEES: the method bv which errors 

defected dy in^'ut, “pFo^dm and processing, and output 
controls of the computer system are corrected and resub- 
mitted for processing. Unless the corrections or errors are 
subjected to the same controls as new input data, an other- 
wise strong system of internal accounting control could be 
ineffective. In general^ computer operators and control 
clerks should never correct errors committed by a user. 

FIL S : a complete set of related logical records. 
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FILE CCHTBOL: a system of protection and back-up previsions 

wnich Kelp assure that data files will not be narmed or 
manipulated intentionally or accidentally. Examples of file 
controls are the son-father-grandfather system of back-up, 
retention dates on header labels, fireproof storage vaults, 
eff-premise storage* temperature and humidity controls, 
restricted access ana file protection rings. 

FLOWCHAET: a diagram which shows tae logic of a program 

IfKe way in which a record is processed) or shows the 
sequence in which programs are processed and files are used 
or created. Flowcharts of the first type are called program 
flowcharts, logic diagrams or logic charts; the latter type 
are called system flowcharts. 

GRAHDFATREB-FATHEB-SCM. a system for backing up magnetic 
media rileS wEere ^Tevious master files ana transaction 
files are kept to reconstruct the current master file if 
necessary. The current master file (the son) is a product 
of processing the last transaction file with the next to 
last master rile (the father) which itselx is the product of 
the next to last transaction file and the second oldest 
master file (the grandfather) . 

INTEBSAI CO STB OL: (administrative control and accounting 

corrcif administrative control includes, but is not limitei 
to, the plan of organization and the procedures and records 
that are concerned with the decision processes leading to 
management’s authorization of transactions. Such authoriza- 
tion is a management function directly associated with the 
responsibility for achieving the objectives of the organiza- 
tion and is the starting pcint for establishing accounting 
control of transactions. 

INPUT CCBT3 CLS controls designed to insure that data going 
into the EUF^ystem is authorized, accurate, and complete. 
This is where most errors are generally made, and therefore, 
the controls should be designea to be effective as possible. 

MASS STOBAGE FILES: Storage devices, usually on tapes or 

di3Es , wEidh ■permit the storage of very large volumes of 
data. 

MAS TEB FILE; an oraanized data file which provides the 
primaf y~Ka5is of curfent information for accounts or other 
types of files, such as name and address files. Master 
files are updated periodically by other data files (called 
transaction files) which include all changes to the file 
since the last updating run. The combination of old master 
files and transaction files provide the back-up for the 
current master file. 

O PE RATING LOGS: written records of ail functions performed 

by KKe“ccmp'uIer system, including the jobs processed, the 
start time, the stop time, the condition of the termination 
of the job (normal or abnormal) and operator actions taken. 
Operating legs can be completed by the operator, by the 
computer through the console typewriter or by both. 

OPEHATIBG S YST EM ; a group of programs that control all 
resources affacned to the CPU, manage application programs 
in process and provide other supporting functions. 

OPERATOR; the person with the responsibility of running 
gobs on the computer, who generally processes the jobs 
according to a prearranged schedule and handles all of the 
equipment including putting card program decks into the card 
reader and mounting tapes and disks on drives. 
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OPERATOR m STR gCTIONS : written procedures that operators 

foricw~tc run a 3 oB.~ These instructions cover mounting and 
dismounting tapes, changing paper, setting dials and 
switches, and responding through the console typewriter. In 
general, these instructions include all items necessary for 
setting up, processing and completing a job. 

^EVEHTIVE aAI HTEHANCE; the process of keeping computer 
equxpmenf in acceptable working condition as opposed to 
correcting after malfunctions occur. Oweners or lessors of 
computer equipment generally enter into equipment servicing 
contracts with the manufacturer. In addidion to providing 
for service when equipment breaks down, these contracts call 
for cleaning and testing equipment on a periodic basis, 
usually weekly. 

EROGBAB CODIHG SH EETS : worksheets used for writing 

programs. ~Tliese tons are designed for ease in keypunching 
and for adherence to conventions established for programming 
language. 

hi PROGRAM IISTINGJ: a sequential listing of all the state- 

ments of a computer program. In general, program listings 
should not be available to computer operators since this 
would violate the principle of segregation of duties. 

PROGBAfl REV ISI ONS: changes to a computer program. Good 

internal controT“ca 11s for adhering to establisned documen- 
tation standards whenever a program is changed. A record of 
the review and approval of these revisions should be kept. 



EfiOGRAB TESTING P ROC EDO EES : the established method for 

testing new programs or changes to existing programs. Test 
data, sometimes called test decks. should be designed to 
thoroughly test all logic paths within the program. Valid 
as well as invalid data should be used to test the program. 
Once tie test data is created, it should be retained to 
document this testing of the program and to be available for 
testing program revisions. 



RESTART; the capability to continue processing a file after 
lEe program stops at an interim point for some reason. Many 
programs can take a relatively long time to process a file, 
primarily because of the volume of data on tne file itself. 
Cn occasion processing will be halted abnormally. If it 
were necessarv to begin all programs at the beginning each 
time, hours of processing could Be lost. Restart capabili- 
ties therefore can be important from an efficiency point of 
view. 

BETEBTICa D ATE : a date placed upon the label of a tape or 

disk wErch "Tells the computer, operator or librarian how 
long the file is to be kept. If the retention date has not 
passed, the file should not be updated or discarded 
(scratched) . 

jROH ; a description of the processing of a job by the 
computer 

the printed output related to the processing of a job. 

RDN BOOKS: a potentially ambiguous term. In some installa- 

tions TEey refer to operators* manuals which are used to 
process jobs. In other installations they refer tc manuals 
which certain all documentation for a application. The 
difference is important, since if operators have access to 
run books and they contain all information on an applica- 
tion, good principles of internal controls are violated. 
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SCRATCH: a description of a tape or disk which is ready to 

accep^”new data; the process of making a take or disk ready 
to accept new data. 

SEQOEgCE Cfl SCK IHG: an editing procedure that compares the 

control nurBer in a sequential file with the previous 

control number. It it is not greater than or equal to the 

previous number, the program notes that a sequence error has 

occurred. 

SE RVI CE CE NTE R ; an organization which provides data 
processing IM other closely related services to other orga- 
nizations. 



SOFTWARE: a computer programs. 

SOORCE DCCD MEH TS : the beginning point for data entering the 
compufer“sys^m. These documents originate in user depart- 
ments and may be in the form of time cards, purchase requi- 
sitions, etc. After the data are entered into the computer 
system, these documents should be stored or returned to the 
customer . 



STROCTDRED PROGRAMMING: the group of 

provide specITrc guidelines to programmer 
use programming languages and how element 
together to form an application system, 
were initially developed with the intent 
controllable and usable programs. They 
fringe benefit, improved auditability of 
under these technigues. The techniques 
heading are as follows: 



technigues that 
s on how they may 
s of programs fit 
These techniques 
of providing more 
also offer, as a 
programs produced 
falling under this 



Chief Program mer Team Org anization. This technique is 
Eased on Tne esEaBllshmen I or~ a small, integrated team 
headed by a chief programmer and supported" by two or 
three analysts and programmers and a librarian. Use of 
this approach has proved effective in many instances. 



Top-down Des ig n. This t 
progralTlogid By specifyi 
first and then proceed 
greater detail. use of 
programs more simply and 



echnique consists of designing 
ng tne highest level functions 
ing downward to greater and 
this approach tends to organize 
effectively. 



Modularization . This technique focuses on careful 
segmenlallon of programs into common and generally 
useful modules to ensure simplicity and minimum redun- 
dancy. 



§-tructured Codiiig. This approach uses a collection of 
convcnIions“Ior syntax and program format to ensure that 
the programs are more easily understood are less likely 
to contain errors. 



Walk-thro ugh . A planned review of system 
and~B5diE^oy peers of the developers, 
has been effective in minimizing built-in 



specif ications 
This approach 
errors. 



Top-down Testinp. Skeleton control modules are tested 
EirBI and”EE5n progresses down the module structure to 
finally test the entire system. 



(The auditor should focus on determining the presence or 
absence of the above or related technigues and the effec- 
tiveness of their use. Evidence of the use of these techni- 
gues can be considered a positive sign even though the 
auditor may be unable to fully appreciate and understand the 
mechanics of the techniques.) 
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SYSTEH ANAL YSI S ; process of studyinj systems to determine 
xr cHanges sITould me made and if so, now they should be 
carried cut. 

SYSTEfl DEVE IOP HENT: designing, testing and implementing new 

systems. 

TIME SHAEING: a method of data processing which provides 

eiTfensxve '3ata processing capability on a casis that would 
not be practical or economically feasible if maintained 
individually by each user. Generally a wide range of 

computerized applications are offered simultaneously for 
many users. These users in effect ’'share” the CPU. 

TRANSACTION FILE: record of all changes to a master file 

since fie laSI las ter file updating run. 

UTIL ITY P ROGRA MS : programs provided by manufacturers to 

assist an installation in the functioning of its data 
processing. Examples of such programs are sorts, merges, 

and DITTO (a program which, among other things, allows for 
dumping cr copying a file) . 
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